Skip to content

feat(vulnfeeds): Enable git resolution for affected versions field CVEList #3951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 58 commits into from
Oct 1, 2025
Merged

feat(vulnfeeds): Enable git resolution for affected versions field CVEList #3951

merged 58 commits into from
Oct 1, 2025

Conversation

jess-lowe
Copy link
Contributor

This PR:

  • Fixes the metrics notes file concurrency issue
  • Enables git resolution for version ranges extracted
  • Stores versions converted in the range database_specific and stores failed version conversions in the affected database_specific
  • Enables conversion for GitHub_M scoped CVEs

jess-lowe added 30 commits August 28, 2025 04:47
@jess-lowe
Fix missing delete
1a466f1
@jess-lowe
Remove Linux special treatment
f5b40e4
@jess-lowe
Improve inverse version extraction
bad798b
@jess-lowe
Fix double commit hash sections
b62ceb3
@jess-lowe
Merge remote-tracking branch 'upstream/master' into feat/cve-conv-cro…
86ace30 
…n-prep
@jess-lowe
Remove database_specific map from initial vuln instance
b4f5b57
@jess-lowe
fix version_extraction test
c352ac1
@jess-lowe
rename and repackage cvelist converstion
f17b8c5
@jess-lowe
repackage
0638dff
@jess-lowe
cvelist mass converter script
f7b0de3
@jess-lowe
Remove outcomes logic for now (not very concurrency-friendly)
0fc040d
@jess-lowe
Converter script
227ba92
@jess-lowe
rename files back
e2f5b64
@jess-lowe
dockerfile and cron job
c56e9d5
@jess-lowe
Merge remote-tracking branch 'upstream/master' into feat/cve-conv-cro…
7df4e7c 
…n-prep
@jess-lowe
flatten if statements
cf40025
@jess-lowe
Revert "dockerfile and cron job"
394d039 
This reverts commit c56e9d5.
@jess-lowe
Merge remote-tracking branch 'upstream/master' into feat/cve-conv-cro…
34e3505 
…n-prep
@jess-lowe
update logger
013c5c8
@jess-lowe
fix lint through refactoring everything :(
34878fb
@jess-lowe
Added flags and removed double parsing
af05357
@jess-lowe
rename sortBadSemver
9b2ce86
@jess-lowe
refactored parts for clarity
68f8d55
@jess-lowe
deal with if number of parts are not 2 or 3
28e0691
@jess-lowe
rename sortBadSemver in tests
e69b7fb
@jess-lowe
Refactor VersionToCommit to ONLY return a commit, not the AffectedCom…
0114a27 
…mit stuff.
@jess-lowe
update test snapshots
5fa7c47
@jess-lowe
FIX LINT
fbdd60f
@jess-lowe
MUCH PRETTIER CODE
56c6db5
@jess-lowe
Merge remote-tracking branch 'upstream/master' into feat/cve-git-reso…
40b1d9f 
…lve-1
@jess-lowe jess-lowe changed the title feat(vulnfeeds): Enable git resolution for versions feat(vulnfeeds): Enable git resolution for affected versions field CVEList Sep 15, 2025
maennchen
maennchen reviewed Sep 15, 2025
View reviewed changes
vulnfeeds/cmd/cve-bulk-converter/main.go
years = flag.String("years", "2022,2023,2024,2025", "A comma-separated list of years to process.")
workers = flag.Int("workers", 30, "The number of concurrent workers to use for processing CVEs.")
cnas = flag.String("cnas", "Linux", "A comma-separated list of CNAs to process.")
cnas = flag.String("cnas", "Linux,GitHub_M", "A comma-separated list of CNAs to process.")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The EEF CNA is reporting GIT Versions. Can we be added to this list? Example CVE: https://cna.erlef.org/cves/cve-2025-48042.html

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @maennchen, thanks for your enthusiasm with the CVE5 conversion! I tried running the converter with EEF scoped vulns and unfortunately in its current state it's not able to convert EEF vulns effectively, as the data layout differs from the more common expressions I've seen across Linux/GitHub_M/MITRE vulns. Looking a little more into it, it looks like the vulns are generated using Vulnogram, in which case, I'll consider adding an extension to handle Vulnogram generated vulns in a future PR :).

For a more timely ingestion of EEF vulns into OSV, we would highly appreciate Erlang publishing natively in the OSV format for us to ingest (also removes the layer of abstraction from going through the CVE Program to publish changes, and waiting for us to ingest those vulns).

This was referenced Sep 29, 2025
Merged
Merged
jess-lowe added a commit that referenced this pull request Sep 29, 2025
@jess-lowe
fix(vulnfeeds): metrics being global causing concurrency issues (#4051)
03ee599 
Breaking #3951 into smaller PRs.

Metrics being global caused some concurrency issues in the output of the
metrics file.
jess-lowe added a commit that referenced this pull request Sep 29, 2025
@jess-lowe
refactor(vulnfeeds): git commit resolution code for better reusability (
f5fbf57 
#4052)

Part of splitting logic from #3951
another-rex
another-rex reviewed Oct 1, 2025
View reviewed changes
another-rex
another-rex reviewed Oct 1, 2025
View reviewed changes
@jess-lowe jess-lowe requested a review from another-rex October 1, 2025 05:13
@jess-lowe jess-lowe merged commit 81155be into google:master Oct 1, 2025
16 checks passed
@jess-lowe jess-lowe deleted the feat/cve-git-resolve-1 branch October 1, 2025 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@another-rex another-rex another-rex approved these changes

@michaelkedar michaelkedar Awaiting requested review from michaelkedar

+1 more reviewer

@maennchen maennchen maennchen left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jess-lowe @maennchen @another-rex