Allow empty introduced commit fields. (#99)

* Allow empty introduced commit fields.

Assume all commits prior to the fix are vulnerable.

* fix comment

Author: oliverchang

docker/worker/testdata/BLAH-127.yaml

@@ -0,0 +1,16 @@
+id: BLAH-127
+package:
+  name: blah.com/package
+  ecosystem: golang
+summary: A vulnerability
+details: |
+  Blah blah blah
+  Blah
+severity: HIGH
+affects:
+  ranges:
+  - type: GIT
+    repo: https://osv-test/repo/url
+    fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735
+references:
+- https://ref.com/ref

docker/worker/testdata/expected_127.diff

@@ -0,0 +1,19 @@
+diff --git a/BLAH-127.yaml b/BLAH-127.yaml
+index 915f291..c6a4223 100644
+--- a/BLAH-127.yaml
++++ b/BLAH-127.yaml
+@@ -12,5 +12,14 @@ affects:
+   - type: GIT
+     repo: https://osv-test/repo/url
+     fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735
++  - type: GIT
++    repo: https://osv-test/repo/url
++    fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98
++  versions:
++  - branch-v0.1.1
++  - branch_1_cherrypick_regress
++  - v0.1
++  - v0.1.1
+ references:
+ - https://ref.com/ref
++modified: '2021-01-01T00:00:00Z'

docker/worker/worker.py

@@ -358,8 +358,10 @@ def _do_update(self, source_repo, repo, vulnerability, yaml_path,
         if affected_range.type != vulnerability_pb2.AffectedRange.GIT:
           continue
 
-        range_collectors[affected_range.repo].add(affected_range.introduced,
-                                                  affected_range.fixed)
+        # Convert empty values ('') to None.
+        introduced = affected_range.introduced or None
+        fixed = affected_range.fixed or None
+        range_collectors[affected_range.repo].add(introduced, fixed)
 
       for affected_range in vulnerability.affects.ranges:
         # Go through existing provided ranges to find additional ranges (via

docker/worker/worker_test.py

@@ -776,6 +776,9 @@ def setUp(self):
     self.mock_repo.add_file(
         'BLAH-125.yaml',
         self._load_test_data(os.path.join(TEST_DATA_DIR, 'BLAH-125.yaml')))
+    self.mock_repo.add_file(
+        'BLAH-127.yaml',
+        self._load_test_data(os.path.join(TEST_DATA_DIR, 'BLAH-127.yaml')))
     self.mock_repo.commit('User', 'user@email')
 
     osv.SourceRepository(
@@ -805,6 +808,12 @@ def setUp(self):
         ecosystem='golang',
         source_id='source:BLAH-125.yaml',
         source_of_truth=osv.SourceOfTruth.SOURCE_REPO).put()
+    osv.Bug(
+        id='BLAH-127',
+        project='blah.com/package',
+        ecosystem='golang',
+        source_id='source:BLAH-127.yaml',
+        source_of_truth=osv.SourceOfTruth.SOURCE_REPO).put()
 
   def tearDown(self):
     self.tmp_dir.cleanup()
@@ -945,6 +954,80 @@ def test_update_add_fix(self):
         'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b',
     ], [commit.commit for commit in affected_commits])
 
+  def test_update_no_introduced(self):
+    """Test update vulnerability with no introduced commit."""
+    task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None,
+                                    None)
+
+    message = mock.Mock()
+    message.attributes = {
+        'source': 'source',
+        'path': 'BLAH-127.yaml',
+        'original_sha256': ('484f6d8659f0c01e2f08a6fba9791fb2'
+                            '9b5df09530e5d8307fc1f368b01d7dcb'),
+        'deleted': 'false',
+    }
+    task_runner._source_update(message)
+
+    repo = pygit2.Repository(self.remote_source_repo_path)
+    commit = repo.head.peel()
+
+    self.assertEqual('infra@osv.dev', commit.author.email)
+    self.assertEqual('OSV', commit.author.name)
+    self.assertEqual('Update BLAH-127', commit.message)
+    diff = repo.diff(commit.parents[0], commit)
+    self.assertEqual(self._load_test_data('expected_127.diff'), diff.patch)
+
+    self.assertDictEqual(
+        {
+            'additional_commit_ranges': [{
+                'fixed_in': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98',
+                'introduced_in': ''
+            },],
+            'affected': [],
+            'affected_fuzzy': [],
+            'confidence': None,
+            'details': 'Blah blah blah\nBlah\n',
+            'ecosystem': 'golang',
+            'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735',
+            'has_affected': False,
+            'issue_id': None,
+            'last_modified': datetime.datetime(2021, 1, 1, 0, 0),
+            'project': 'blah.com/package',
+            'public': None,
+            'reference_urls': ['https://ref.com/ref'],
+            'regressed': '',
+            'repo_url': 'https://osv-test/repo/url',
+            'search_indices': ['blah.com/package', 'BLAH-127', 'BLAH', '127'],
+            'severity': 'HIGH',
+            'sort_key': 'BLAH-0000127',
+            'source_id': 'source:BLAH-127.yaml',
+            'source_of_truth': osv.SourceOfTruth.SOURCE_REPO,
+            'status': None,
+            'summary': 'A vulnerability',
+            'timestamp': None
+        },
+        osv.Bug.get_by_id('BLAH-127')._to_dict())
+
+    affected_commits = list(osv.AffectedCommit.query())
+    self.assertCountEqual([
+        'b1c95a196f22d06fcf80df8c6691cd113d8fefff',
+        'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd',
+        'a2ba949290915d445d34d0e8e9de2e7ce38198fc',
+        'e1b045257bc5ca2a11d0476474f45ef77a0366c7',
+        '00514d6f244f696e750a37083163992c6a50cfd3',
+        '25147a74d8aeb27b43665530ee121a2a1b19dc58',
+        '3c5dcf6a5bec14baab3b247d369a7270232e1b83',
+        '4c155795426727ea05575bd5904321def23c03f4',
+        '57e58a5d7c2bb3ce0f04f17ec0648b92ee82531f',
+        '90aa4127295b2c37b5f7fcf6a9772b12c99a5212',
+        '949f182716f037e25394bbb98d39b3295d230a29',
+        'b1fa81a5d59e9b4d6e276d82fc17058f3cf139d9',
+        'f0cc40d8c3dabb27c2cfe26f1764305abc91a0b9',
+        'febfac1940086bc1f6d3dc33fda0a1d1ba336209',
+        'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b',
+    ], [commit.commit for commit in affected_commits])
+
   def test_update_new(self):
     """Test update with new vulnerability added."""
     self.mock_repo.add_file(
@@ -1032,7 +1115,7 @@ def test_update_no_changes(self):
     message.attributes = {
         'source': 'source',
         'path': 'BLAH-125.yaml',
-        'original_sha256': ('b5ecb05106faef7fc5bd07f86e089783',
+        'original_sha256': ('b5ecb05106faef7fc5bd07f86e089783'
                             '4354608c5bb59d3b6317491874198a3a'),
         'deleted': 'false',
     }

lib/osv/impact.py

@@ -123,8 +123,12 @@ def get_affected(repo, regress_commit_or_range, fix_commit_or_range):
   for commit in regress_commits:
     tags_with_bug.update(get_tags_with_commits(repo, [commit]))
 
-  tags_with_fix = get_tags_with_commits(repo, fix_commits)
+  if not regress_commits:
+    # If no introduced commit provided, assume all commits prior to fix are
+    # vulnerable.
+    tags_with_bug.update(get_all_tags(repo))
 
+  tags_with_fix = get_tags_with_commits(repo, fix_commits)
   affected_commits, affected_ranges = get_affected_range(
       repo, regress_commits, fix_commits)
 
@@ -163,7 +167,8 @@ def get_affected_range(repo, regress_commits, fix_commits):
       if equivalent_regress_commit:
         break
 
-    if not equivalent_regress_commit:
+    # If regress_commits is provided, then we should find an equivalent.
+    if not equivalent_regress_commit and regress_commits:
       continue
 
     # Get the latest equivalent commit in the fix range.
@@ -186,7 +191,9 @@ def get_affected_range(repo, regress_commits, fix_commits):
       # Not fixed in this branch. Everything is still vulnerabile.
       last_affected_commits.append(repo.revparse_single(ref).id)
 
-    commits.add(equivalent_regress_commit)
+    if equivalent_regress_commit:
+      commits.add(equivalent_regress_commit)
+
     for last_affected_commit in last_affected_commits:
       if (equivalent_regress_commit, last_affected_commit) in seen_commits:
         continue
@@ -216,6 +223,15 @@ def get_commit_range(repo, commit_or_range):
   return get_commit_list(repo, start_commit, end_commit)
 
 
+def get_all_tags(repo):
+  """Get all tags."""
+  return [
+      ref[len(TAG_PREFIX):]
+      for ref in repo.listall_references()
+      if ref.startswith(TAG_PREFIX)
+  ]
+
+
 def get_tags_with_commits(repo, commits):
   """Get tags with a given commit."""
   if not commits:
@@ -244,7 +260,9 @@ def get_commit_list(repo, start_commit, end_commit):
   except KeyError as e:
     raise ImpactError('Invalid commit.') from e
 
-  walker.hide(start_commit)
+  if start_commit:
+    walker.hide(start_commit)
+
   return [str(commit.id) for commit in walker]