refactor(vulnfeeds): Move BuildVersionRange into common dir for conversion (#4814)

This is going to be used by both NVD and CVEList conversion so makes
sense to put it in a common dir.

Author: jess-lowe

vulnfeeds/cmd/combine-to-osv/main.go

@@ -15,7 +15,7 @@ import (
 	"strings"
 
 	"cloud.google.com/go/storage"
-	"github.com/google/osv/vulnfeeds/cves"
+	"github.com/google/osv/vulnfeeds/conversion"
 	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/upload"
 	"github.com/google/osv/vulnfeeds/utility/logger"
@@ -312,7 +312,7 @@ func pickAffectedInformation(cve5Affected []*osvschema.Affected, nvdAffected []*
 				}
 
 				if c5Intro != "" || c5Fixed != "" {
-					newRange := cves.BuildVersionRange(c5Intro, "", c5Fixed)
+					newRange := conversion.BuildVersionRange(c5Intro, "", c5Fixed)
 					newRange.Repo = repo
 					newRange.Type = osvschema.Range_GIT // Preserve the repo
 					newAffectedRanges = append(newAffectedRanges, newRange)

vulnfeeds/conversion/common.go

@@ -111,3 +111,28 @@ func WriteMetricsFile(metrics *models.ConversionMetrics, metricsFile *os.File) e
 
 	return nil
 }
+
+// BuildVersionRange is a helper function that adds 'introduced', 'fixed', or 'last_affected'
+// events to an OSV version range. If 'intro' is empty, it defaults to "0".
+func BuildVersionRange(intro string, lastAff string, fixed string) *osvschema.Range {
+	var versionRange osvschema.Range
+	var i string
+	if intro == "" {
+		i = "0"
+	} else {
+		i = intro
+	}
+	versionRange.Events = append(versionRange.Events, &osvschema.Event{
+		Introduced: i})
+
+	if fixed != "" {
+		versionRange.Events = append(versionRange.Events, &osvschema.Event{
+			Fixed: fixed})
+	} else if lastAff != "" {
+		versionRange.Events = append(versionRange.Events, &osvschema.Event{
+			LastAffected: lastAff,
+		})
+	}
+
+	return &versionRange
+}

vulnfeeds/conversion/common_test.go

@@ -0,0 +1,68 @@
+package conversion
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/ossf/osv-schema/bindings/go/osvschema"
+	"google.golang.org/protobuf/testing/protocmp"
+)
+
+func TestBuildVersionRange(t *testing.T) {
+	tests := []struct {
+		name    string
+		intro   string
+		lastAff string
+		fixed   string
+		want    *osvschema.Range
+	}{
+		{
+			name:  "intro and fixed",
+			intro: "1.0.0",
+			fixed: "1.0.1",
+			want: &osvschema.Range{
+				Events: []*osvschema.Event{
+					{Introduced: "1.0.0"},
+					{Fixed: "1.0.1"},
+				},
+			},
+		},
+		{
+			name:    "intro and last_affected",
+			intro:   "1.0.0",
+			lastAff: "1.0.0",
+			want: &osvschema.Range{
+				Events: []*osvschema.Event{
+					{Introduced: "1.0.0"},
+					{LastAffected: "1.0.0"},
+				},
+			},
+		},
+		{
+			name:  "only intro",
+			intro: "1.0.0",
+			want: &osvschema.Range{
+				Events: []*osvschema.Event{
+					{Introduced: "1.0.0"},
+				},
+			},
+		},
+		{
+			name: "empty intro",
+			want: &osvschema.Range{
+				Events: []*osvschema.Event{
+					{Introduced: "0"},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := BuildVersionRange(tt.intro, tt.lastAff, tt.fixed)
+			if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
+				t.Errorf("BuildVersionRange() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

vulnfeeds/cvelist2osv/common.go

@@ -7,7 +7,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/google/osv/vulnfeeds/cves"
+	"github.com/google/osv/vulnfeeds/conversion"
 	"github.com/google/osv/vulnfeeds/git"
 	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/utility"
@@ -120,9 +120,9 @@ func gitVersionsToCommits(cveID models.CVEID, versionRanges []*osvschema.Range,
 				var newVR *osvschema.Range
 
 				if fixedCommit != "" {
-					newVR = cves.BuildVersionRange(introducedCommit, "", fixedCommit)
+					newVR = conversion.BuildVersionRange(introducedCommit, "", fixedCommit)
 				} else {
-					newVR = cves.BuildVersionRange(introducedCommit, lastAffectedCommit, "")
+					newVR = conversion.BuildVersionRange(introducedCommit, lastAffectedCommit, "")
 				}
 
 				newVR.Repo = repo
@@ -187,9 +187,9 @@ func findCPEVersionRanges(cve models.CVE5) (versionRanges []*osvschema.Range, cp
 				}
 
 				if match.VersionEndExcluding != "" {
-					versionRanges = append(versionRanges, cves.BuildVersionRange(match.VersionStartIncluding, "", match.VersionEndExcluding))
+					versionRanges = append(versionRanges, conversion.BuildVersionRange(match.VersionStartIncluding, "", match.VersionEndExcluding))
 				} else if match.VersionEndIncluding != "" {
-					versionRanges = append(versionRanges, cves.BuildVersionRange(match.VersionStartIncluding, match.VersionEndIncluding, ""))
+					versionRanges = append(versionRanges, conversion.BuildVersionRange(match.VersionStartIncluding, match.VersionEndIncluding, ""))
 				}
 			}
 		}

vulnfeeds/cvelist2osv/default_extractor.go

@@ -100,10 +100,10 @@ func (d *DefaultVersionExtractor) FindNormalAffectedRanges(affected models.Affec
 				continue
 			}
 			if av.Fixed != "" {
-				versionRanges = append(versionRanges, cves.BuildVersionRange(av.Introduced, "", av.Fixed))
+				versionRanges = append(versionRanges, conversion.BuildVersionRange(av.Introduced, "", av.Fixed))
 				continue
 			} else if av.LastAffected != "" {
-				versionRanges = append(versionRanges, cves.BuildVersionRange(av.Introduced, av.LastAffected, ""))
+				versionRanges = append(versionRanges, conversion.BuildVersionRange(av.Introduced, av.LastAffected, ""))
 				continue
 			}
 		}
@@ -118,7 +118,7 @@ func (d *DefaultVersionExtractor) FindNormalAffectedRanges(affected models.Affec
 
 		// As a fallback, assume a single version means it's the last affected version.
 		if vulns.CheckQuality(vers.Version).AtLeast(acceptableQuality) {
-			versionRanges = append(versionRanges, cves.BuildVersionRange("0", vers.Version, ""))
+			versionRanges = append(versionRanges, conversion.BuildVersionRange("0", vers.Version, ""))
 			metrics.AddNote("Single version found %v - Assuming introduced = 0 and last affected = %v", vers.Version, vers.Version)
 		}
 	}

vulnfeeds/cvelist2osv/linux_extractor.go

@@ -7,7 +7,6 @@ import (
 	"strings"
 
 	"github.com/google/osv/vulnfeeds/conversion"
-	"github.com/google/osv/vulnfeeds/cves"
 	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/vulns"
 	"github.com/ossf/osv-schema/bindings/go/osvconstants"
@@ -137,7 +136,7 @@ func findInverseAffectedRanges(cveAff models.Affected, metrics *models.Conversio
 	// Create ranges by pairing sorted introduced and fixed versions.
 	for index, f := range fixed {
 		if index < len(introduced) {
-			ranges = append(ranges, cves.BuildVersionRange(introduced[index], "", f))
+			ranges = append(ranges, conversion.BuildVersionRange(introduced[index], "", f))
 			metrics.AddNote("Introduced from version value - %s", introduced[index])
 			metrics.AddNote("Fixed from version value - %s", f)
 		}
@@ -166,13 +165,13 @@ func (l *LinuxVersionExtractor) FindNormalAffectedRanges(affected models.Affecte
 		metrics.AddNote("Only version exists")
 
 		if currentVersionType == VersionRangeTypeGit {
-			versionRanges = append(versionRanges, cves.BuildVersionRange(vers.Version, "", ""))
+			versionRanges = append(versionRanges, conversion.BuildVersionRange(vers.Version, "", ""))
 			continue
 		}
 
 		// As a fallback, assume a single version means it's the last affected version.
 		if vulns.CheckQuality(vers.Version).AtLeast(acceptableQuality) {
-			versionRanges = append(versionRanges, cves.BuildVersionRange("0", vers.Version, ""))
+			versionRanges = append(versionRanges, conversion.BuildVersionRange("0", vers.Version, ""))
 			metrics.AddNote("Single version found %v - Assuming introduced = 0 and last affected = %v", vers.Version, vers.Version)
 		}
 	}

vulnfeeds/cvelist2osv/strategies.go

@@ -1,6 +1,7 @@
 package cvelist2osv
 
 import (
+	"github.com/google/osv/vulnfeeds/conversion"
 	"github.com/google/osv/vulnfeeds/cves"
 	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/vulns"
@@ -75,9 +76,9 @@ func initialNormalExtraction(vers models.Versions, metrics *models.ConversionMet
 		}
 		var versionRanges []*osvschema.Range
 		if fixed != "" {
-			versionRanges = append(versionRanges, cves.BuildVersionRange(introduced, "", fixed))
+			versionRanges = append(versionRanges, conversion.BuildVersionRange(introduced, "", fixed))
 		} else if lastaffected != "" {
-			versionRanges = append(versionRanges, cves.BuildVersionRange(introduced, lastaffected, ""))
+			versionRanges = append(versionRanges, conversion.BuildVersionRange(introduced, lastaffected, ""))
 		}
 
 		return versionRanges, currentVersionType, true

vulnfeeds/cvelist2osv/version_extraction_test.go

@@ -6,7 +6,7 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/google/osv/vulnfeeds/cves"
+	"github.com/google/osv/vulnfeeds/conversion"
 	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/vulns"
 	"github.com/ossf/osv-schema/bindings/go/osvschema"
@@ -58,7 +58,7 @@ func TestFindNormalAffectedRanges(t *testing.T) {
 				},
 			},
 			wantRanges: []*osvschema.Range{
-				cves.BuildVersionRange("1.0", "", "1.5"),
+				conversion.BuildVersionRange("1.0", "", "1.5"),
 			},
 			wantRangeType: VersionRangeTypeSemver,
 		},
@@ -74,7 +74,7 @@ func TestFindNormalAffectedRanges(t *testing.T) {
 				},
 			},
 			wantRanges: []*osvschema.Range{
-				cves.BuildVersionRange("0", "2.0", ""),
+				conversion.BuildVersionRange("0", "2.0", ""),
 			},
 			wantRangeType: VersionRangeTypeSemver,
 		},
@@ -89,7 +89,7 @@ func TestFindNormalAffectedRanges(t *testing.T) {
 				},
 			},
 			wantRanges: []*osvschema.Range{
-				cves.BuildVersionRange("2.0", "", "2.5"),
+				conversion.BuildVersionRange("2.0", "", "2.5"),
 			},
 			wantRangeType: VersionRangeTypeEcosystem,
 		},
@@ -105,7 +105,7 @@ func TestFindNormalAffectedRanges(t *testing.T) {
 				},
 			},
 			wantRanges: []*osvschema.Range{
-				cves.BuildVersionRange("", "deadbeef", ""),
+				conversion.BuildVersionRange("", "deadbeef", ""),
 			},
 			wantRangeType: VersionRangeTypeGit,
 		},
@@ -175,7 +175,7 @@ func TestFindInverseAffectedRanges(t *testing.T) {
 			versionType: VersionRangeTypeSemver,
 			cnaAssigner: "Linux",
 			want: []*osvschema.Range{
-				cves.BuildVersionRange("5.0.0", "", "5.10.1"),
+				conversion.BuildVersionRange("5.0.0", "", "5.10.1"),
 			},
 		},
 		{
@@ -214,7 +214,7 @@ func TestFindInverseAffectedRanges(t *testing.T) {
 			versionType: VersionRangeTypeSemver,
 			cnaAssigner: "Linux",
 			want: []*osvschema.Range{
-				cves.BuildVersionRange("4.0.0", "", "4.5.2"),
+				conversion.BuildVersionRange("4.0.0", "", "4.5.2"),
 			},
 		},
 	}

vulnfeeds/cves/versions.go

@@ -29,7 +29,6 @@ import (
 	"time"
 
 	"github.com/knqyf263/go-cpe/naming"
-	"github.com/ossf/osv-schema/bindings/go/osvschema"
 	"github.com/sethvargo/go-retry"
 
 	"github.com/google/osv/vulnfeeds/git"
@@ -1139,10 +1138,6 @@ func ReposFromReferences(cache *VPRepoCache, vp *VendorProduct, refs []models.Re
 	if len(repos) == 0 {
 		return repos
 	}
-	if vp != nil {
-		metrics.AddNote("Derived repos using references %q for %q %q", repos, vp.Vendor, vp.Product)
-	}
-	metrics.AddNote("Derived repos (no CPEs) using references: %q", repos)
 
 	return repos
 }
@@ -1179,28 +1174,3 @@ func ReposFromReferencesCVEList(refs []models.Reference, tagDenyList []string, m
 
 	return repos
 }
-
-// BuildVersionRange is a helper function that adds 'introduced', 'fixed', or 'last_affected'
-// events to an OSV version range. If 'intro' is empty, it defaults to "0".
-func BuildVersionRange(intro string, lastAff string, fixed string) *osvschema.Range {
-	var versionRange osvschema.Range
-	var i string
-	if intro == "" {
-		i = "0"
-	} else {
-		i = intro
-	}
-	versionRange.Events = append(versionRange.Events, &osvschema.Event{
-		Introduced: i})
-
-	if fixed != "" {
-		versionRange.Events = append(versionRange.Events, &osvschema.Event{
-			Fixed: fixed})
-	} else if lastAff != "" {
-		versionRange.Events = append(versionRange.Events, &osvschema.Event{
-			LastAffected: lastAff,
-		})
-	}
-
-	return &versionRange
-}