Add affected_version_range for unfixed Alpine packages

NucleiAv · NucleiAv · commit 2f1586858843 · 2026-03-31T12:40:37.000-04:00
Signed-off-by: Anmol Vats &lt;anmolvats2003@gmail.com&gt;
diff --git a/vulnerabilities/pipelines/v2_importers/alpine_security_importer.py b/vulnerabilities/pipelines/v2_importers/alpine_security_importer.py
@@ -13,7 +13,9 @@
 
 import requests
 from packageurl import PackageURL
+from univers.version_constraint import VersionConstraint
 from univers.version_range import AlpineLinuxVersionRange
+from univers.versions import AlpineLinuxVersion
 from univers.versions import InvalidVersion
 
 from vulnerabilities.importer import AdvisoryDataV2
@@ -140,12 +142,16 @@ def parse_advisory(data: dict):
             )
         )
 
+    states = data.get("state") or []
+    fixed_repos = {state.get("repo") or "" for state in states if state.get("fixed")}
+
     affected_packages = []
-    for state in data.get("state") or []:
-        if not state.get("fixed"):
+    for state in states:
+        is_fixed = state.get("fixed")
+        repo = state.get("repo") or ""
+        if not is_fixed and repo in fixed_repos:
             continue
         pkg_version_url = state.get("packageVersion") or ""
-        repo = state.get("repo") or ""
         parts = pkg_version_url.rstrip("/").split("/")
         if len(parts) < 2:
             continue
@@ -164,17 +170,34 @@ def parse_advisory(data: dict):
             name=pkg_name,
             qualifiers={"distroversion": distroversion, "reponame": reponame},
         )
-        try:
-            fixed_version_range = AlpineLinuxVersionRange.from_versions([version])
-        except InvalidVersion:
-            logger.warning("Cannot parse Alpine version %r in %s", version, cve_id)
-            continue
-        affected_packages.append(
-            AffectedPackageV2(
-                package=purl,
-                fixed_version_range=fixed_version_range,
+        if is_fixed:
+            try:
+                fixed_version_range = AlpineLinuxVersionRange.from_versions([version])
+            except InvalidVersion:
+                logger.warning("Cannot parse Alpine version %r in %s", version, cve_id)
+                continue
+            affected_packages.append(
+                AffectedPackageV2(
+                    package=purl,
+                    fixed_version_range=fixed_version_range,
+                )
+            )
+        else:
+            try:
+                constraint = VersionConstraint(
+                    comparator="<=",
+                    version=AlpineLinuxVersion(version),
+                )
+                affected_version_range = AlpineLinuxVersionRange(constraints=(constraint,))
+            except InvalidVersion:
+                logger.warning("Cannot parse Alpine version %r in %s", version, cve_id)
+                continue
+            affected_packages.append(
+                AffectedPackageV2(
+                    package=purl,
+                    affected_version_range=affected_version_range,
+                )
             )
-        )
 
     return AdvisoryDataV2(
         advisory_id=cve_id,
diff --git a/vulnerabilities/tests/test_alpine_security_importer.py b/vulnerabilities/tests/test_alpine_security_importer.py
@@ -72,8 +72,8 @@ def test_parse_advisory_skips_malformed_package_url(self):
         self.assertIsNotNone(result)
         self.assertEqual(result.affected_packages, [])
 
-    def test_parse_advisory_skips_unfixed_states(self):
-        """State entries with fixed=False must not produce affected_packages."""
+    def test_parse_advisory_unfixed_state_produces_affected_version_range(self):
+        """Unfixed state with no fix in the same repo produces an affected_version_range."""
         data = {
             "id": "https://security.alpinelinux.org/vuln/CVE-2099-00002",
             "description": "test",
@@ -89,7 +89,38 @@ def test_parse_advisory_skips_unfixed_states(self):
         }
         result = parse_advisory(data)
         self.assertIsNotNone(result)
-        self.assertEqual(result.affected_packages, [])
+        self.assertEqual(len(result.affected_packages), 1)
+        pkg = result.affected_packages[0]
+        self.assertIsNotNone(pkg.affected_version_range)
+        self.assertIsNone(pkg.fixed_version_range)
+        self.assertIn("<=8.0.0-r0", str(pkg.affected_version_range))
+
+    def test_parse_advisory_skips_unfixed_state_when_fixed_exists_in_same_repo(self):
+        """fixed=False states are skipped when a fixed=True state exists in the same repo."""
+        data = {
+            "id": "https://security.alpinelinux.org/vuln/CVE-2099-00003",
+            "description": "test",
+            "cvss3": {"score": 0.0, "vector": None},
+            "ref": [],
+            "state": [
+                {
+                    "fixed": True,
+                    "packageVersion": "https://security.alpinelinux.org/srcpkg/curl/8.1.0-r0",
+                    "repo": "edge-main",
+                },
+                {
+                    "fixed": False,
+                    "packageVersion": "https://security.alpinelinux.org/srcpkg/curl/8.0.0-r0",
+                    "repo": "edge-main",
+                },
+            ],
+        }
+        result = parse_advisory(data)
+        self.assertIsNotNone(result)
+        self.assertEqual(len(result.affected_packages), 1)
+        pkg = result.affected_packages[0]
+        self.assertIsNone(pkg.affected_version_range)
+        self.assertIsNotNone(pkg.fixed_version_range)
 
 
 class TestAlpineSecurityImporterPipeline(TestCase):
diff --git a/vulnerabilities/tests/test_data/alpine_security/expected_alpine_security_output1.json b/vulnerabilities/tests/test_data/alpine_security/expected_alpine_security_output1.json
@@ -2,7 +2,92 @@
   "advisory_id": "CVE-2025-46836",
   "aliases": [],
   "summary": "net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. `get_name()` in `interface.c` copies interface labels from `/proc/net/dev` into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash. The known attack path does not require privilege but also does not provide privilege escalation in this scenario. A patch is available and expected to be part of version 2.20.",
-  "affected_packages": [],
+  "affected_packages": [
+    {
+      "package": {
+        "type": "apk",
+        "namespace": "alpine",
+        "name": "net-tools",
+        "version": "",
+        "qualifiers": "distroversion=edge&reponame=main",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:alpine/<=2.10-r3",
+      "fixed_version_range": null,
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    },
+    {
+      "package": {
+        "type": "apk",
+        "namespace": "alpine",
+        "name": "net-tools",
+        "version": "",
+        "qualifiers": "distroversion=v3.23&reponame=main",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:alpine/<=2.10-r3",
+      "fixed_version_range": null,
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    },
+    {
+      "package": {
+        "type": "apk",
+        "namespace": "alpine",
+        "name": "net-tools",
+        "version": "",
+        "qualifiers": "distroversion=v3.22&reponame=main",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:alpine/<=2.10-r3",
+      "fixed_version_range": null,
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    },
+    {
+      "package": {
+        "type": "apk",
+        "namespace": "alpine",
+        "name": "net-tools",
+        "version": "",
+        "qualifiers": "distroversion=v3.21&reponame=main",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:alpine/<=2.10-r3",
+      "fixed_version_range": null,
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    },
+    {
+      "package": {
+        "type": "apk",
+        "namespace": "alpine",
+        "name": "net-tools",
+        "version": "",
+        "qualifiers": "distroversion=v3.20&reponame=main",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:alpine/<=2.10-r3",
+      "fixed_version_range": null,
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    },
+    {
+      "package": {
+        "type": "apk",
+        "namespace": "alpine",
+        "name": "net-tools",
+        "version": "",
+        "qualifiers": "distroversion=v3.19&reponame=main",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:alpine/<=2.10-r3",
+      "fixed_version_range": null,
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    }
+  ],
   "references": [
     {
       "reference_id": "",
