Release 1.6.4 #262
Closed
Release 1.6.4 #262
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]> Signed-off-by: Caleb Brown <[email protected]>
Rationale: reduce the amount of false negatives in commits belonging to branches forked in-between `introduced` and `fixed`/`limit`. Closes #216. Signed-off-by: Stefano Zacchiroli <[email protected]>
Adds back the `as defined by the database` in the description of the `range` object's `database_specific` field. This brings it into line with the descriptions of the other two `database_specific` fields. I suspect it was just a bad copy/paste operation as we were adding those fields to other objects beyond the top level. Signed-off-by: Chris Bloom <[email protected]>
Fixes #208. --------- Signed-off-by: Oliver Chang <[email protected]> Signed-off-by: Oliver Chang <[email protected]>
Signed-off-by: Oliver Chang <[email protected]>
Signed-off-by: Amanda L Martin <[email protected]>
OSV has support for `last_affected` for when we know which version was the last to be vulnerable. The GHSA converter previously skipped adding this range event because `last_affacted` didn't exist at the time. This change implements `last_affected` support for GHSA. Signed-off-by: Caleb Brown <[email protected]>
It does users a disservice to direct them to `check-jsonschema` in the first instance. `check-jsonschema` is incredibly slow (probably because of Python interpreter startup time) when run in a loop on multiple files. --------- Signed-off-by: Andrew Pollock <[email protected]>
Add more title attributes to the validation specifications to assist an unfamiliar reader with the intention behind them. Also reformatted for consistency. No functional changes. --------- Signed-off-by: Andrew Pollock <[email protected]>
cc @mattmoor @luhring Signed-off-by: cpanato <[email protected]>
…efinition (#246) Fixes: #201 --------- Signed-off-by: Andrew Pollock <[email protected]>
Based on query raised in google/osv.dev#2135 --------- Signed-off-by: Andrew Pollock <[email protected]>
Coming out of google/osv.dev#2374 (comment), wanted to suggest some potential wording improvements to help the next Linux distro that comes along better understand how the `aliases` field should and should not be used. I welcome any feedback, and I'm not sure I've captured the sentiment perfectly. One particular callout: this PR removes an existing sentence (below) that we struggled to wrap our heads around. If there's something that this was trying to convey that's lost in my PR, I'd love to better understand it. >Aliases may be used for vulnerabilities affecting different packages or ecosystems as long as they follow this definition. cc: @michaelkedar @andrewpollock @cpanato --------- Signed-off-by: Dan Luhring <[email protected]>
Addresses undetected invalidity surfaced in https://github.com/github/advisory-database/blob/adf108ed87cfbe666a56cd9cab986afc3854150e/advisories/github-reviewed/2023/11/GHSA-jjfh-589g-3hjx/GHSA-jjfh-589g-3hjx.json and helps address google/osv.dev#2369 h/t @gregsdennis for assistance with the validation syntax This uses the regexes from the [official schema definitions for CVSS](https://www.first.org/cvss/data-representations), with some additional slash-escaping that regex101.com seemed to feel was necessary to make them valid. ``` $ git -C ~/gosst/osv/advisory-database/ checkout adf108ed87cfbe666a56cd9cab986afc3854150e HEAD is now at adf108ed87c Publish GHSA-jjfh-589g-3hjx $ ~/go/bin/jv ./validation/schema.json ~/gosst/osv/advisory-database/advisories/github-reviewed/2023/11/GHSA-jjfh-589g-3hjx/GHSA-jjfh-589g-3hjx.json schema ./validation/schema.json: ok instance /usr/local/google/home/apollock/gosst/osv/advisory-database/advisories/github-reviewed/2023/11/GHSA-jjfh-589g-3hjx/GHSA-jjfh-589g-3hjx.json: failed jsonschema validation failed with 'file:///usr/local/google/home/apollock/gosst/osv/osv-schema/validation/schema.json#' - at '/severity/1': allOf failed - at '/severity/1/score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L' does not match pattern '^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/' $ git -C ~/gosst/osv/advisory-database/ checkout main Previous HEAD position was adf108ed87c Publish GHSA-jjfh-589g-3hjx Switched to branch 'main' Your branch is up to date with 'origin/main'. $ ~/go/bin/jv ./validation/schema.json ~/gosst/osv/advisory-database/advisories/github-reviewed/2023/11/GHSA-jjfh-589g-3hjx/GHSA-jjfh-589g-3hjx.json schema ./validation/schema.json: ok instance /usr/local/google/home/apollock/gosst/osv/advisory-database/advisories/github-reviewed/2023/11/GHSA-jjfh-589g-3hjx/GHSA-jjfh-589g-3hjx.json: ok ``` --------- Signed-off-by: Andrew Pollock <[email protected]>
This PR resolves #224 The mission specifically needs review. --------- Signed-off-by: Amanda L Martin <[email protected]>
Per discussion offline, this updates Android vulnerability ID prefixes to corresponds with reality. This may need to be revisited in the future (e.g. `ASB-A` -> `A-ASB`) but that would be a separate effort. Signed-off-by: Duy Truong <[email protected]> Co-authored-by: Duy Truong <[email protected]>
This will address the deficiency surfaced in #163 --------- Signed-off-by: Andrew Pollock <[email protected]>
Add the `Red Hat` ecosystem, see google/osv.dev#1404 --------- Signed-off-by: Jason Shepherd <[email protected]> Signed-off-by: Andrew Pollock <[email protected]> Co-authored-by: Andrew Pollock <[email protected]>
This is reasonably functional at this point, with multiple checks of two different aspects: Ranges: - `introduced` exists - don't overlap Packages: - plumbing for ecosystem-specific behaviour - package existence - PyPI - Go - package version existence - PyPI - Go (with some caveats around pseudoversions) - Basic Purl validity ``` $ go run ./cmd/osv record lint test_data/ Running "osv.dev" check collection on &["test_data/"] 2024/08/07 23:26:14 Found 9 files in "test_data/" Running "introduced-event-exists" check on "test_data/CVE-2018-5407.json" Running "range-is-distinct" check on "test_data/CVE-2018-5407.json" Running "package-exists" check on "test_data/CVE-2018-5407.json" 2024/08/07 23:26:14 "test_data/CVE-2018-5407.json": "package-exists": []checks.CheckError{checks.CheckError{Code:"P0001", Message:": package \"openssl\" not found"}} Running "package-versions-exist" check on "test_data/CVE-2018-5407.json" 2024/08/07 23:26:14 "test_data/CVE-2018-5407.json": "package-versions-exist": []checks.CheckError{checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}} Running "package-purl-valid" check on "test_data/CVE-2018-5407.json" Running "introduced-event-exists" check on "test_data/CVE-2023-41045.json" Running "range-is-distinct" check on "test_data/CVE-2023-41045.json" Running "package-exists" check on "test_data/CVE-2023-41045.json" Running "package-versions-exist" check on "test_data/CVE-2023-41045.json" Running "package-purl-valid" check on "test_data/CVE-2023-41045.json" Running "introduced-event-exists" check on "test_data/GHSA-9v2f-6vcg-3hgv.json" Running "range-is-distinct" check on "test_data/GHSA-9v2f-6vcg-3hgv.json" Running "package-exists" check on "test_data/GHSA-9v2f-6vcg-3hgv.json" Running "package-versions-exist" check on "test_data/GHSA-9v2f-6vcg-3hgv.json" Running "package-purl-valid" check on "test_data/GHSA-9v2f-6vcg-3hgv.json" Running "introduced-event-exists" check on "test_data/GO-2020-0001.json" Running "range-is-distinct" check on "test_data/GO-2020-0001.json" Running "package-exists" check on "test_data/GO-2020-0001.json" Running "package-versions-exist" check on "test_data/GO-2020-0001.json" 2024/08/07 23:26:16 "test_data/GO-2020-0001.json": "package-versions-exist": []checks.CheckError{checks.CheckError{Code:"P0002", Message:": Failed to find some versions of github.com/gin-gonic/gin: &errors.errorString{s:\"failed to find [1.6] for \\\"github.com/gin-gonic/gin\\\" in [v1.9.0 v1.3.0 v1.7.0 v1.8.0 v1.6.0 v1.8.2 v1.1.1 v1.5.0 v1.7.2 v1.7.1 v1.1.3 v1.1.2 v1.9.1 v1.6.3 v1.10.0 v1.7.3 v1.7.5 v1.4.0 v1.1.4 v1.6.1 v1.7.7 v1.8.1 v1.6.2 v1.7.4 v1.7.6 ]\"}"}} Running "package-purl-valid" check on "test_data/GO-2020-0001.json" Running "introduced-event-exists" check on "test_data/GO-2024-2963.json" Running "range-is-distinct" check on "test_data/GO-2024-2963.json" Running "package-exists" check on "test_data/GO-2024-2963.json" Running "package-versions-exist" check on "test_data/GO-2024-2963.json" Running "package-purl-valid" check on "test_data/GO-2024-2963.json" Running "introduced-event-exists" check on "test_data/PYSEC-2023-74.json" Running "range-is-distinct" check on "test_data/PYSEC-2023-74.json" Running "package-exists" check on "test_data/PYSEC-2023-74.json" Running "package-versions-exist" check on "test_data/PYSEC-2023-74.json" Running "package-purl-valid" check on "test_data/PYSEC-2023-74.json" Running "introduced-event-exists" check on "test_data/nointroduced-CVE-2023-41045.json" 2024/08/07 23:26:18 "test_data/nointroduced-CVE-2023-41045.json": "introduced-event-exists": []checks.CheckError{checks.CheckError{Code:"R0001", Message:": missing 'introduced' object in event"}} Running "range-is-distinct" check on "test_data/nointroduced-CVE-2023-41045.json" Running "package-exists" check on "test_data/nointroduced-CVE-2023-41045.json" Running "package-versions-exist" check on "test_data/nointroduced-CVE-2023-41045.json" Running "package-purl-valid" check on "test_data/nointroduced-CVE-2023-41045.json" Running "introduced-event-exists" check on "test_data/nondistinct-CVE-2018-5407.json" Running "range-is-distinct" check on "test_data/nondistinct-CVE-2018-5407.json" 2024/08/07 23:26:18 "test_data/nondistinct-CVE-2018-5407.json": "range-is-distinct": []checks.CheckError{checks.CheckError{Code:"R0002", Message:": overlapping event: \"e818b74be2170fbe957a07b0da4401c2b694b3b8\""}} Running "package-exists" check on "test_data/nondistinct-CVE-2018-5407.json" 2024/08/07 23:26:18 "test_data/nondistinct-CVE-2018-5407.json": "package-exists": []checks.CheckError{checks.CheckError{Code:"P0001", Message:": package \"openssl\" not found"}} Running "package-versions-exist" check on "test_data/nondistinct-CVE-2018-5407.json" 2024/08/07 23:26:18 "test_data/nondistinct-CVE-2018-5407.json": "package-versions-exist": []checks.CheckError{checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}, checks.CheckError{Code:"P0002", Message:": Failed to find some versions of openssl: &errors.errorString{s:\"unsupported ecosystem: Alpine\"}"}} Running "package-purl-valid" check on "test_data/nondistinct-CVE-2018-5407.json" Running "introduced-event-exists" check on "test_data/nopackage-GHSA-9v2f-6vcg-3hgv.json" Running "range-is-distinct" check on "test_data/nopackage-GHSA-9v2f-6vcg-3hgv.json" Running "package-exists" check on "test_data/nopackage-GHSA-9v2f-6vcg-3hgv.json" 2024/08/07 23:26:19 "test_data/nopackage-GHSA-9v2f-6vcg-3hgv.json": "package-exists": []checks.CheckError{checks.CheckError{Code:"P0001", Message:": package \"Gradi0\" not found"}} Running "package-versions-exist" check on "test_data/nopackage-GHSA-9v2f-6vcg-3hgv.json" 2024/08/07 23:26:19 "test_data/nopackage-GHSA-9v2f-6vcg-3hgv.json": "package-versions-exist": []checks.CheckError{checks.CheckError{Code:"P0002", Message:": Failed to find some versions of Gradi0: &errors.errorString{s:\"unable to validate package: fail: \\\"https://pypi.org/pypi/Gradi0/json\\\": bad response: 404\"}"}} Running "package-purl-valid" check on "test_data/nopackage-GHSA-9v2f-6vcg-3hgv.json" 2024/08/07 23:26:19 found errors exit status 1 ``` Part of google/osv.dev#2187 --------- Signed-off-by: Andrew Pollock <[email protected]>
Fix incorrect version number (it was one patch version too high), and update the date. Signed-off-by: Oliver Chang <[email protected]>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.