aboutcode-org
diff --git a/‎vulnerabilities/importers/osv_v2.py‎
Lines changed: 36 additions & 25 deletions b/‎vulnerabilities/importers/osv_v2.py‎
Lines changed: 36 additions & 25 deletions
diff --git a/‎vulnerabilities/pipelines/v2_importers/github_osv_importer.py‎
Lines changed: 0 additions & 2 deletions b/‎vulnerabilities/pipelines/v2_importers/github_osv_importer.py‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎vulnerabilities/pipelines/v2_importers/oss_fuzz.py‎
Lines changed: 0 additions & 2 deletions b/‎vulnerabilities/pipelines/v2_importers/oss_fuzz.py‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎vulnerabilities/pipelines/v2_importers/pysec_importer.py‎
Lines changed: 2 additions & 2 deletions b/‎vulnerabilities/pipelines/v2_importers/pysec_importer.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎vulnerabilities/tests/test_data/osv_test/pypa/pypa-5.yaml‎
Lines changed: 44 additions & 32 deletions b/‎vulnerabilities/tests/test_data/osv_test/pypa/pypa-5.yaml‎
Lines changed: 44 additions & 32 deletions
@@ -17,7 +17,7 @@
 from cvss.exceptions import CVSS3MalformedError
 from cvss.exceptions import CVSS4MalformedError
 from packageurl import PackageURL
-from univers.version_constraint import VersionConstraint
+from univers.version_constraint import VersionConstraint, validate_comparators
 from univers.version_range import RANGE_CLASS_BY_SCHEMES
 from univers.versions import InvalidVersion
 from univers.versions import SemverVersion
@@ -152,36 +152,41 @@ def parse_advisory_data_v3(
             or fixed_by_commit_patches
             or introduced_by_commit_patches
         ):
-            affected_packages.append(
-                AffectedPackageV2(
-                    package=purl,
-                    affected_version_range=affected_version_range,
-                    fixed_version_range=fixed_version_range,
-                    fixed_by_commit_patches=fixed_by_commit_patches,
-                    introduced_by_commit_patches=introduced_by_commit_patches,
+            try:
+                affected_packages.append(
+                    AffectedPackageV2(
+                        package=purl,
+                        affected_version_range=affected_version_range,
+                        fixed_version_range=fixed_version_range,
+                        fixed_by_commit_patches=fixed_by_commit_patches,
+                        introduced_by_commit_patches=introduced_by_commit_patches,
+                    )
                 )
-            )
+            except Exception as e:
+                logger.error(f"Invalid AffectedPackageV2 {e} for {advisory_id}")
 
     database_specific = raw_data.get("database_specific") or {}
     cwe_ids = database_specific.get("cwe_ids") or []
     weaknesses = list(map(get_cwe_id, cwe_ids))
 
     if advisory_id in aliases:
         aliases.remove(advisory_id)
-
-    return AdvisoryData(
-        advisory_id=advisory_id,
-        aliases=aliases,
-        summary=summary,
-        references_v2=references,
-        severities=severities,
-        affected_packages=affected_packages,
-        date_published=date_published,
-        weaknesses=weaknesses,
-        patches=patches,
-        url=advisory_url,
-        original_advisory_text=advisory_text or json.dumps(raw_data, indent=2, ensure_ascii=False),
-    )
+    try:
+        return AdvisoryData(
+            advisory_id=advisory_id,
+            aliases=aliases,
+            summary=summary,
+            references_v2=references,
+            severities=severities,
+            affected_packages=affected_packages,
+            date_published=date_published,
+            weaknesses=weaknesses,
+            patches=patches,
+            url=advisory_url,
+            original_advisory_text=advisory_text or json.dumps(raw_data, indent=2, ensure_ascii=False),
+        )
+    except Exception as e:
+        logger.error(f"Invalid AdvisoryData for {advisory_id}: {e}")
 
 
 def extract_events(range_data) -> Iterable[str]:
@@ -335,12 +340,18 @@ def get_explicit_affected_constraints(affected_pkg, raw_id, supported_ecosystem)
             version_obj = version_range_class.version_class(version)
             constraint = VersionConstraint(comparator="=", version=version_obj)
             constraints.append(constraint)
+            validate_comparators(constraints)
         except Exception as e:
             logger.error(
-                f"Invalid VersionRange for affected_pkg: {affected_pkg} "
-                f"for OSV id: {raw_id!r}: error:{e!r}"
+                f"Invalid VersionConstraint: {version} " f"for OSV id: {raw_id!r}: error:{e!r}"
             )
 
+        try:
+            validate_comparators(constraints)
+        except Exception as e:
+            logger.error(
+                f"InvalidConstraint: {version} " f"for OSV id: {raw_id!r}: error:{e!r}"
+            )
     return constraints
 
 
 
@@ -48,8 +48,6 @@ def advisories_count(self):
         return sum(1 for _ in advisory_dir.rglob("*.json"))
 
     def collect_advisories(self) -> Iterable[AdvisoryData]:
-        from vulnerabilities.importers.osv import parse_advisory_data_v2
-
         supported_ecosystems = [
             "pypi",
             "npm",
 
@@ -44,8 +44,6 @@ def advisories_count(self):
         return sum(1 for _ in vulns_directory.rglob("*.yaml"))
 
     def collect_advisories(self) -> Iterable[AdvisoryData]:
-        from vulnerabilities.importers.osv import parse_advisory_data_v2
-
         base_directory = Path(self.vcs_response.dest_dir)
         vulns_directory = base_directory / "vulns"
 
 
@@ -15,6 +15,7 @@
 import requests
 
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importers.osv_v2 import parse_advisory_data_v3
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 
 
@@ -47,7 +48,6 @@ def advisories_count(self) -> int:
 
     def collect_advisories(self) -> Iterable[AdvisoryData]:
         """Yield AdvisoryData using a zipped data dump of OSV data"""
-        from vulnerabilities.importers.osv import parse_advisory_data_v2
 
         with ZipFile(BytesIO(self.advisory_zip)) as zip_file:
             for file_name in zip_file.namelist():
@@ -60,7 +60,7 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
                 with zip_file.open(file_name) as f:
                     vul_info = json.load(f)
                     advisory_text = f.read()
-                    yield parse_advisory_data_v2(
+                    yield parse_advisory_data_v3(
                         raw_data=vul_info,
                         supported_ecosystems=["pypi"],
                         advisory_url=self.url,
 
@@ -1,46 +1,58 @@
-id: PYSEC-2021-796
-details: TensorFlow is an end-to-end open source platform for machine learning. In
-  affected versions TFLite's [`expand_dims.cc`](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/expand_dims.cc#L36-L50)
-  contains a vulnerability which allows reading one element outside of bounds of heap
-  allocated data. If `axis` is a large negative value (e.g., `-100000`), then after
-  the first `if` it would still be negative. The check following the `if` statement
-  will pass and the `for` loop would read one element before the start of `input_dims.data`
-  (when `i = 0`). We have patched the issue in GitHub commit d94ffe08a65400f898241c0374e9edc6fa8ed257.
-  The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit
-  on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected
-  and still in supported range.
+id: PYSEC-2017-94
+details: Heap-based buffer overflow in the ALGnew function in block_templace.c in
+  Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary
+  code as demonstrated by a crafted iv parameter to cryptmsg.py.
 affected:
 - package:
-    name: tensorflow-gpu
+    name: pycrypto
     ecosystem: PyPI
-    purl: pkg:pypi/tensorflow-gpu
+    purl: pkg:pypi/pycrypto
   ranges:
   - type: GIT
-    repo: https://github.com/tensorflow/tensorflow
+    repo: https://github.com/dlitz/pycrypto
     events:
-    - introduced: "0"
-    - fixed: d94ffe08a65400f898241c0374e9edc6fa8ed257
+    - introduced: '0'
+    - fixed: 8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
   - type: ECOSYSTEM
     events:
-    - introduced: 2.3.0
-    - fixed: 2.3.4
-    - introduced: 2.4.0
-    - fixed: 2.4.3
+    - introduced: '0'
   versions:
-  - 2.3.0
-  - 2.3.1
-  - 2.3.2
-  - 2.3.3
-  - 2.4.0
+  - 1.9a2
+  - 1.9a5
+  - 1.9a6
+  - '2.0'
+  - 2.0.1
+  - 2.1.0
+  - '2.2'
+  - '2.3'
+  - '2.4'
   - 2.4.1
-  - 2.4.2
+  - '2.5'
+  - '2.6'
+  - 2.6.1
 references:
+- type: WEB
+  url: https://pony7.fr/ctf:public:32c3:cryptmsg
+- type: WEB
+  url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJ37R2YLX56YZABFNAOWV4VTHTGYREAE/
+- type: WEB
+  url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C6BWNADPLKDBBQBUT3P75W7HAJCE7M3B/
+- type: REPORT
+  url: https://github.com/dlitz/pycrypto/issues/176
 - type: FIX
-  url: https://github.com/tensorflow/tensorflow/commit/d94ffe08a65400f898241c0374e9edc6fa8ed257
+  url: https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
+- type: REPORT
+  url: https://bugzilla.redhat.com/show_bug.cgi?id=1409754
+- type: WEB
+  url: http://www.securityfocus.com/bid/95122
+- type: WEB
+  url: http://www.openwall.com/lists/oss-security/2016/12/27/8
 - type: ADVISORY
-  url: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c545-c4f9-rf6v
+  url: https://security.gentoo.org/glsa/201702-14
+- type: ADVISORY
+  url: https://github.com/advisories/GHSA-cq27-v7xp-c356
 aliases:
-- CVE-2021-37685
-- GHSA-c545-c4f9-rf6v
-modified: "2021-12-09T06:35:39.778016Z"
-published: "2021-08-12T23:15:00Z"
+- CVE-2013-7459
+- GHSA-cq27-v7xp-c356
+modified: '2021-08-27T03:22:16.665546Z'
+published: '2017-02-15T15:59:00Z'