Skip to content

tim code #1662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
timbastin merged 1 commit into from
Feb 6, 2026
Merged

tim code #1662

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ require (
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
github.com/Intevation/gval v1.3.0 // indirect
github.com/Intevation/jsonpath v0.2.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/ProtonMail/go-crypto v1.3.0 // indirect
github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -695,6 +695,8 @@ github.com/Intevation/jsonpath v0.2.1 h1:rINNQJ0Pts5XTFEG+zamtdL7l9uuE1z0FBA+r55
github.com/Intevation/jsonpath v0.2.1/go.mod h1:WnZ8weMmwAx/fAO3SutjYFU+v7DFreNYnibV7CiaYIw=
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c h1:RGWPOewvKIROun94nF7v2cua9qP+thov/7M50KEoeSU=
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4=
github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
Expand Down
29 changes: 29 additions & 0 deletions normalize/cve.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
// Copyright 2026 larshermges
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Comment on lines +1 to +13
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The repository is licensed under AGPL-3.0 (see LICENSE.txt), but this new file introduces an Apache-2.0 header. Unless this file is explicitly excluded/relicensed, the header should match the project’s AGPL notice to avoid licensing/compliance conflicts.

Copilot uses AI. Check for mistakes.

package normalize

import "strings"

func UppercaseCVEID(cveID string) string {
// make sure ghsa is uppercase
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment says “make sure ghsa is uppercase”, but the code also lowercases the remainder of the GHSA ID. Update the comment to reflect the actual normalization being applied (e.g., “ensure GHSA prefix is uppercase and normalize the rest”).

Suggested change
// make sure ghsa is uppercase
// ensure GHSA prefix is uppercase and normalize the rest

Copilot uses AI. Check for mistakes.
// extract the prefix
prefix := strings.Split(cveID, "-")[0]
switch strings.ToLower(prefix) {
case "ghsa":
return "GHSA-" + strings.ToLower(cveID[len(prefix)+1:])
Comment on lines +22 to +25
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UppercaseCVEID can panic for inputs like "ghsa" (no '-' present): prefix becomes "ghsa" and cveID[len(prefix)+1:] slices past the string length. Consider using strings.Cut/SplitN and only slicing when a '-' separator is present; otherwise fall back to returning strings.ToUpper(cveID) (or another safe default).

Suggested change
prefix := strings.Split(cveID, "-")[0]
switch strings.ToLower(prefix) {
case "ghsa":
return "GHSA-" + strings.ToLower(cveID[len(prefix)+1:])
prefix, rest, found := strings.Cut(cveID, "-")
if !found {
// No '-' present: fall back to uppercasing the whole ID to avoid panics.
return strings.ToUpper(cveID)
}
switch strings.ToLower(prefix) {
case "ghsa":
return "GHSA-" + strings.ToLower(rest)

Copilot uses AI. Check for mistakes.
default:
return strings.ToUpper(cveID)
}
Comment on lines +20 to +28
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function name UppercaseCVEID is misleading because the GHSA branch returns a mixed-case value (prefix uppercased, suffix lowercased). Consider renaming to something like NormalizeVulnID/NormalizeCVEID (or adjust behavior to truly uppercase everything) so callers don’t misinterpret what it guarantees.

Suggested change
// make sure ghsa is uppercase
// extract the prefix
prefix := strings.Split(cveID, "-")[0]
switch strings.ToLower(prefix) {
case "ghsa":
return "GHSA-" + strings.ToLower(cveID[len(prefix)+1:])
default:
return strings.ToUpper(cveID)
}
return strings.ToUpper(cveID)

Copilot uses AI. Check for mistakes.
Comment on lines +19 to +28
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UppercaseCVEID is new behavior used to normalize request parameters for CSAF report lookup, but there are no unit tests covering GHSA vs CVE inputs or malformed values (e.g., "ghsa" without a dash). Adding a small table-driven test would protect against regressions and the panic case.

Copilot uses AI. Check for mistakes.
}
2 changes: 1 addition & 1 deletion services/csaf_service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -795,7 +795,7 @@ func GenerateCSAFReport(ctx shared.Context, dependencyVulnRepository shared.Depe
org := shared.GetOrg(ctx)
asset := shared.GetAsset(ctx)
// remove everything <asset-slug>_ from the beginning of the document id
cveID = strings.ToUpper(strings.Split(cveID, ".json")[0])
cveID = normalize.UppercaseCVEID(strings.Split(cveID, ".json")[0])
Comment on lines 797 to +798
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The inline comment says the code removes a "_" prefix from the document id, but the implementation only strips a ".json" suffix and normalizes casing. Either implement the prefix removal (e.g., trim asset.Slug+"_") or update the comment so it matches the actual behavior.

Copilot uses AI. Check for mistakes.

// fetch the cve from the database
vulns, err := dependencyVulnRepository.GetDependencyVulnByCVEIDAndAssetID(nil, cveID, asset.ID)
Expand Down
Loading