fix(vulnfeeds): combine-2-osv panic with range 0 (#4988)

jess-lowe · web-flow · commit 13836f9c03be · 2026-03-10T09:51:51.000+11:00
If there's no boundary version, there's a panic on an empty array.
diff --git a/vulnfeeds/cmd/combine-to-osv/main.go b/vulnfeeds/cmd/combine-to-osv/main.go
@@ -317,6 +317,8 @@ func pickAffectedInformation(cve5Affected []*osvschema.Affected, nvdAffected []*
 					newRange.Repo = repo
 					newRange.Type = osvschema.Range_GIT // Preserve the repo
 					newAffectedRanges = append(newAffectedRanges, newRange)
+				} else {
+					newAffectedRanges = cveRanges
 				}
 			} else {
 				newAffectedRanges = cveRanges
@@ -348,7 +350,15 @@ func pickAffectedInformation(cve5Affected []*osvschema.Affected, nvdAffected []*
 
 	// sort by repo
 	slices.SortFunc(combinedAffected, func(a, b *osvschema.Affected) int {
-		return cmp.Compare(a.GetRanges()[0].GetRepo(), b.GetRanges()[0].GetRepo())
+		var repoA, repoB string
+		if len(a.GetRanges()) > 0 {
+			repoA = a.GetRanges()[0].GetRepo()
+		}
+		if len(b.GetRanges()) > 0 {
+			repoB = b.GetRanges()[0].GetRepo()
+		}
+
+		return cmp.Compare(repoA, repoB)
 	})
 
 	return combinedAffected
