Fix OSV version matching for npm vulnerabilities with 'introduced: 0'

Fixes #5716

The OSV integration was filtering out version range values of "0",
assuming that versionStartIncluding=null is semantically equivalent
to >=0. However, this causes version matching to fail for OSV
vulnerabilities that use {"introduced": "0"} without an upper bound.

When all version range fields are null, the vers library creates a
WILDCARD constraint, which should match everything. However, in
practice this was preventing npm malicious packages like MAL-2022-1471
(bats-file) from being matched to affected components.

The fix stores "0" as-is in versionStartIncluding, allowing the vers
library to correctly evaluate >=0 ranges using SEMVER comparison.

Test case added for MAL-2022-1471 to verify parsing of npm malicious
packages with "introduced": "0" range notation.

Signed-off-by: Aharon Haravon <aharon.haravon@khealth.com>

Author: Aharon Haravon

src/main/java/org/dependencytrack/tasks/OsvDownloadTask.java

@@ -797,12 +797,11 @@ public VulnerableSoftware mapAffectedPackageToVulnerableSoftware(final QueryMana
             return null;
         }
 
-        // Other sources do not populate the versionStartIncluding with 0.
-        // Semantically, versionStartIncluding=null is equivalent to >=0.
-        // Omit zero values here for consistency's sake.
-        final String versionStartIncluding = Optional.ofNullable(affectedPackage.getLowerVersionRange())
-                .filter(version -> !"0".equals(version))
-                .orElse(null);
+        // Store version ranges as-is from OSV, including "0" values.
+        // While other sources may not populate versionStartIncluding with 0,
+        // OSV explicitly uses "introduced": "0" to indicate all versions are affected.
+        // The vers library can handle "0" as a valid lower bound for SEMVER ranges.
+        final String versionStartIncluding = affectedPackage.getLowerVersionRange();
         final String versionEndExcluding = affectedPackage.getUpperVersionRangeExcluding();
         final String versionEndIncluding = affectedPackage.getUpperVersionRangeIncluding();
 

src/test/java/org/dependencytrack/parser/osv/OsvAdvisoryParserTest.java

@@ -167,4 +167,23 @@ void testIssue5105() throws Exception {
         OsvAdvisory advisory = parser.parse(jsonObject);
         Assertions.assertNotNull(advisory);
     }
+
+    @Test
+        // https://github.com/DependencyTrack/dependency-track/issues/5716
+    void testIssue5716NpmMaliciousPackageWithIntroducedZero() throws Exception {
+        String jsonFile = "src/test/resources/unit/osv.jsons/osv-MAL-2022-1471.json";
+        String jsonString = new String(Files.readAllBytes(Paths.get(jsonFile)));
+        JSONObject jsonObject = new JSONObject(jsonString);
+        OsvAdvisory advisory = parser.parse(jsonObject);
+        Assertions.assertNotNull(advisory);
+        Assertions.assertEquals("MAL-2022-1471", advisory.getId());
+        Assertions.assertEquals(1, advisory.getAffectedPackages().size());
+
+        OsvAffectedPackage affectedPackage = advisory.getAffectedPackages().get(0);
+        Assertions.assertEquals("pkg:npm/bats-file", affectedPackage.getPurl());
+        Assertions.assertEquals("0", affectedPackage.getLowerVersionRange());
+        Assertions.assertNull(affectedPackage.getUpperVersionRangeExcluding());
+        Assertions.assertNull(affectedPackage.getUpperVersionRangeIncluding());
+        Assertions.assertEquals("npm", affectedPackage.getPackageEcosystem());
+    }
 }

src/test/resources/unit/osv.jsons/osv-MAL-2022-1471.json

@@ -0,0 +1 @@
+{"id":"MAL-2022-1471","summary":"Malicious code in bats-file (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (cfca84a87fa56f411667056ac2253f8ec037bf25285d30acd34fc673d29dccf9)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-wvrr-2x4r-394v"],"modified":"2023-11-08T04:24:01.503149Z","published":"2022-06-20T20:18:20Z","database_specific":{"malicious-packages-origins":[{"import_time":"2023-07-30T21:58:30.652463079Z","source":"ghsa-malware","modified_time":"2022-06-20T20:18:25Z","sha256":"cfca84a87fa56f411667056ac2253f8ec037bf25285d30acd34fc673d29dccf9","id":"GHSA-wvrr-2x4r-394v","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-wvrr-2x4r-394v"}],"affected":[{"package":{"name":"bats-file","ecosystem":"npm","purl":"pkg:npm/bats-file"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bats-file/MAL-2022-1471.json"}}],"schema_version":"1.7.3"}