Parsing of introduced version in OSV not working as expected. See the example below:
In [1]: from vulnerabilities.importers import osv
In [2]: raw_data = {
...: "schema_version": "1.4.0",
...: "id": "GHSA-2hjr-vmf3-xwvp",
...: "aliases": [
...: "CVE-2023-49921"
...: ],
...: "summary": "summary",
...: "details": "details",
...: "severity": [],
...: "affected": [
...: {
...: "package": { "ecosystem": "Maven", "name": "org.elasticsearch:elasticsearch" },
...: "ranges": [
...: {
...: "type": "ECOSYSTEM",
...: "events": [
...: {"introduced": "0"},
...: {"fixed": "7.17.16"}
...: ]
...: }
...: ]
...: },
...: {
...: "package": { "ecosystem": "Maven", "name": "org.elasticsearch:elasticsearch" },
...: "ranges": [
...: { "type": "ECOSYSTEM",
...: "events": [
...: { "introduced": "8.0.0" },
...: { "fixed": "8.11.2" }
...: ]
...: }
...: ]
...: }
...: ],
...: "references": []
...: }
In [3]: advisory_url ="https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/G
...: HSA-2hjr-vmf3-xwvp/GHSA-2hjr-vmf3-xwvp.json"
In [4]: supported_ecosystems= ["maven"]
In [5]: advisory_text=""
In [6]: adv=osv.parse_advisory_data_v2(raw_data,supported_ecosystems,advisory_url,advisory_text)
In [7]: len(adv.affected_packages)
Out[7]: 2
In [8]: af1=adv.affected_packages[0]
In [9]: af2=adv.affected_packages[1]
In [10]: str(af1.affected_version_range)
Out[10]: 'None'
In [11]: str(af1.fixed_version_range)
Out[11]: 'vers:maven/7.17.16'
In [12]:
In [12]: str(af2.affected_version_range)
Out[12]: 'None'
In [13]: str(af2.fixed_version_range)
Out[13]: 'vers:maven/8.11.2'
In the above example af2.affected_version_range shouldn't be none we are completely missing 8.0.0.
Additionally, we should process fixed versions individually, either ingesting them or skipping only the invalid entries instead of discarding the entire list.
> `Invalid VersionRange for affected_pkg: ['0.8', '0.9', '0.9.3', '0.9.4', '0.9.5', '0.9.6', '0.9.7', '0.9.8', '0.9.9', '2.0.1', '2.0.1rc1', '2.0.1rc2-git', '2.0.1rc3', '2.0.1rc4', '2.0.2', '2.0.3', '2.0.4', '2.0.5', '2.0b4', '2.0b5', '2.0b6', '2.0b7', '2.0b8', '2.0b9', '3.0.0', '3.0.0b1', '3.0.0b2', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.1', '3.2', '3.2.1', '3.2.2', '3.2.3', '3.2.4', '3.2.5', '3.3', '3.4', '3.4.1', '3.4.2', '3.4.3', '3.4.4', '3.4.5', '3.5', '3.5b1', '3.6', '3.6.1', '3.6.2', '3.6.3', '3.6.4'] for OSV id: 'PYSEC-2021-859': error:InvalidVersion("'2.0.1rc2-git' is not a valid <class 'univers.versions.PypiVersion'>")`
>
> One of the list might not be a valid version, but all others are valid, are we ingesting them or skipping whole list if we can't ingest one.
Parsing of introduced version in OSV not working as expected. See the example below:
This bug was discovered by @keshav-space . at #2017 (review)
See the example below:
In the above example af2.affected_version_range shouldn't be none we are completely missing 8.0.0.
Additionally, we should process fixed versions individually, either ingesting them or skipping only the invalid entries instead of discarding the entire list.