fix: skip withdrawn OSV advisories in parse_advisory_data_v3

Withdrawn advisories were being imported by the v2 pipeline because parse_advisory_data_v3 in pipes/osv_v2.py had no withdrawn check. This caused packages like pkg:pypi/py@1.11.0 to appear as affected even though the advisory (e.g. GHSA-w596-4wvx-j9j6) was withdrawn.

Add a withdrawn check at the top of parse_advisory_data_v3, consistent with the existing check in parse_advisory_data (v1). This fix covers all 5 pipelines that use parse_advisory_data_v3: github_osv_importer, oss_fuzz, pypa_importer, pysec_importer, ubuntu_osv_importer.

Add tests for both withdrawn and non-withdrawn cases in test_osv_v2.py.

Fixes #2238

Signed-off-by: shivamshrma09 <shivamsharma27107@gmail.com>

Author: shivamshrma09

vulnerabilities/importers/github_osv.py

@@ -50,7 +50,9 @@ def advisory_data(self) -> Iterable[AdvisoryData]:
                 )
                 with open(file) as f:
                     raw_data = json.load(f)
-                yield parse_advisory_data(raw_data, supported_ecosystems, advisory_url)
+                advisory = parse_advisory_data(raw_data, supported_ecosystems, advisory_url)
+                if advisory:
+                    yield advisory
         finally:
             if self.vcs_response:
                 self.vcs_response.delete()

vulnerabilities/importers/osv.py

@@ -54,7 +54,11 @@ def parse_advisory_data(
     """
     Return an AdvisoryData build from a ``raw_data`` mapping of OSV advisory and
     a ``supported_ecosystem`` string.
+    Return None if the advisory has been withdrawn.
     """
+    if raw_data.get("withdrawn"):
+        logger.info(f"Skipping withdrawn advisory: {raw_data.get('id')!r}")
+        return None
     raw_id = raw_data.get("id") or ""
     summary = raw_data.get("summary") or ""
     details = raw_data.get("details") or ""

vulnerabilities/pipes/osv_v2.py

@@ -65,6 +65,9 @@ def parse_advisory_data_v3(
     Return an AdvisoryData build from a ``raw_data`` mapping of OSV advisory and
     a ``supported_ecosystem`` string.
     """
+    if raw_data.get("withdrawn"):
+        logger.info(f"Skipping withdrawn advisory: {raw_data.get('id')!r}")
+        return None
     advisory_id = raw_data.get("id") or ""
     if not advisory_id:
         logger.error(f"Missing advisory id in OSV data: {raw_data}")

vulnerabilities/tests/pipes/test_osv_v2.py

@@ -23,6 +23,51 @@
 from vulnerabilities.pipes.osv_v2 import parse_advisory_data_v3
 from vulnerabilities.tests import util_tests
 
+
+def test_parse_advisory_data_v3_withdrawn_returns_none():
+    raw_data = {
+        "id": "GHSA-w596-4wvx-j9j6",
+        "published": "2022-10-16T12:00:23Z",
+        "withdrawn": "2025-08-01T20:34:11Z",
+        "aliases": ["CVE-2022-42969"],
+        "summary": "Withdrawn Advisory: ReDoS in py library",
+        "affected": [
+            {
+                "package": {"ecosystem": "PyPI", "name": "py"},
+                "ranges": [
+                    {
+                        "type": "ECOSYSTEM",
+                        "events": [{"introduced": "0"}, {"last_affected": "1.11.0"}],
+                    }
+                ],
+            }
+        ],
+    }
+    result = parse_advisory_data_v3(
+        raw_data,
+        supported_ecosystems=["pypi"],
+        advisory_url="https://github.com/github/advisory-database/blob/main/advisories/GHSA-w596-4wvx-j9j6.json",
+        advisory_text="",
+    )
+    assert result is None
+
+
+def test_parse_advisory_data_v3_not_withdrawn_returns_advisory():
+    raw_data = {
+        "id": "GHSA-j3f7-7rmc-6wqj",
+        "published": "2022-01-10T14:12:00Z",
+        "aliases": ["CVE-2022-0001"],
+        "summary": "Some valid advisory",
+        "affected": [],
+    }
+    result = parse_advisory_data_v3(
+        raw_data,
+        supported_ecosystems=["pypi"],
+        advisory_url="https://github.com/github/advisory-database/blob/main/advisories/GHSA-j3f7-7rmc-6wqj.json",
+        advisory_text="",
+    )
+    assert result is not None
+
 TEST_DATA = Path(__file__).parent.parent / "test_data" / "osv_test"
 
 

vulnerabilities/tests/test_osv.py

@@ -24,6 +24,7 @@
 from vulnerabilities.importers.osv import get_published_date
 from vulnerabilities.importers.osv import get_references
 from vulnerabilities.importers.osv import get_severities
+from vulnerabilities.importers.osv import parse_advisory_data
 from vulnerabilities.severity_systems import SCORING_SYSTEMS
 
 
@@ -397,3 +398,44 @@ def test_get_fixed_versions4(self):
         )
 
         assert results == [SemverVersion("6.5.4")]
+
+    def test_parse_advisory_data_withdrawn_returns_none(self):
+        raw_data = {
+            "id": "GHSA-w596-4wvx-j9j6",
+            "published": "2022-10-16T12:00:23Z",
+            "withdrawn": "2025-08-01T20:34:11Z",
+            "aliases": ["CVE-2022-42969"],
+            "summary": "Withdrawn Advisory: ReDoS in py library",
+            "affected": [
+                {
+                    "package": {"ecosystem": "PyPI", "name": "py"},
+                    "ranges": [
+                        {
+                            "type": "ECOSYSTEM",
+                            "events": [{"introduced": "0"}, {"last_affected": "1.11.0"}],
+                        }
+                    ],
+                }
+            ],
+        }
+        result = parse_advisory_data(
+            raw_data,
+            supported_ecosystems=["pypi"],
+            advisory_url="https://github.com/github/advisory-database/blob/main/advisories/GHSA-w596-4wvx-j9j6.json",
+        )
+        assert result is None
+
+    def test_parse_advisory_data_not_withdrawn_returns_advisory(self):
+        raw_data = {
+            "id": "GHSA-j3f7-7rmc-6wqj",
+            "published": "2022-01-10T14:12:00Z",
+            "aliases": ["CVE-2022-0001"],
+            "summary": "Some valid advisory",
+            "affected": [],
+        }
+        result = parse_advisory_data(
+            raw_data,
+            supported_ecosystems=["pypi"],
+            advisory_url="https://github.com/github/advisory-database/blob/main/advisories/GHSA-j3f7-7rmc-6wqj.json",
+        )
+        assert result is not None