Skip to content

Commit

Permalink
refactor
Browse files Browse the repository at this point in the history
  • Loading branch information
@DmitriyLewen
DmitriyLewen committed Mar 15, 2024
1 parent 58951d4 commit 43d8e84
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 35 deletions.
65 changes: 30 additions & 35 deletions pkg/vulnsrc/ghsa/ghsa.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package ghsa
import (
"encoding/json"
"fmt"
"github.com/samber/lo"
"path/filepath"
"strings"

Expand Down Expand Up @@ -95,46 +94,42 @@ func (t *transformer) TransformAdvisories(advisories []osv.Advisory, entry osv.E
return nil, xerrors.Errorf("JSON decode error: %w", err)
}

for _, affected := range entry.Affected {
// Skip if `affected[].database_specific` field doesn't exist
if affected.DatabaseSpecific == nil {
continue
}
severity := convertSeverity(specific.Severity)
for i, adv := range advisories {
// Add version from `last_known_affected_version_range` field.
// cf. https://github.com/github/advisory-database/issues/470#issuecomment-1998604377
for _, entryAffected := range entry.Affected {
// Skip if `affected[].database_specific` field doesn't exist
if entryAffected.DatabaseSpecific == nil {
continue
}

ecosystem := osv.ConvertEcosystem(affected.Package.Ecosystem)
if ecosystem == vulnerability.Unknown {
continue
}
pkgName := vulnerability.NormalizePkgName(ecosystem, affected.Package.Name)
var affectedSpecific DatabaseSpecific
if err := json.Unmarshal(entryAffected.DatabaseSpecific, &affectedSpecific); err != nil {
return nil, xerrors.Errorf("JSON decode error: %w", err)
}

var affectedSpecific DatabaseSpecific
if err := json.Unmarshal(affected.DatabaseSpecific, &affectedSpecific); err != nil {
return nil, xerrors.Errorf("JSON decode error: %w", err)
}
entryEcosystem := osv.ConvertEcosystem(entryAffected.Package.Ecosystem)
entryPkgName := vulnerability.NormalizePkgName(entryEcosystem, entryAffected.Package.Name)

// Add version from `last_known_affected_version_range` field
// cf. https://github.com/github/advisory-database/issues/470#issuecomment-1998604377
advisories = lo.Map(advisories, func(adv osv.Advisory, _ int) osv.Advisory {
if adv.PkgName == pkgName && adv.Ecosystem == ecosystem {
for i, vulnVersion := range adv.VulnerableVersions {
// Skip next cases:
// - vulnerability version range is single version (`=` is used)
// - vulnerability version range already contains fixed/affected version (`<`/`<=` is used)
if !strings.Contains(vulnVersion, "<") && !strings.HasPrefix(vulnVersion, "=") {
// `last_known_affected_version_range` uses `< version` or `<= version` formats (e.g. `< 1.2.3` or `<= 1.2.3`).
// Remove space to fit our format.
affectedSpecific.LastKnownAffectedVersionRange = strings.ReplaceAll(affectedSpecific.LastKnownAffectedVersionRange, " ", "")
adv.VulnerableVersions[i] = fmt.Sprintf("%s, %s", vulnVersion, affectedSpecific.LastKnownAffectedVersionRange)
break
}
if adv.PkgName != entryPkgName || adv.Ecosystem != entryEcosystem {
continue
}

for j, vulnVersion := range adv.VulnerableVersions {
// `fixed` and `last_affected` fields (`<`,`<=` or `=` is used) have high priority then `last_known_affected_version_range`.
if strings.Contains(vulnVersion, "<") || strings.HasPrefix(vulnVersion, "=") {
continue
}

// `last_known_affected_version_range` uses `< version` or `<= version` formats (e.g. `< 1.2.3` or `<= 1.2.3`).
// Remove space to fit our format.
affectedSpecific.LastKnownAffectedVersionRange = strings.ReplaceAll(affectedSpecific.LastKnownAffectedVersionRange, " ", "")
advisories[i].VulnerableVersions[j] = fmt.Sprintf("%s, %s", vulnVersion, affectedSpecific.LastKnownAffectedVersionRange)
}
return adv
})
}
}

severity := convertSeverity(specific.Severity)
for i, adv := range advisories {
// Fill severity from
advisories[i].Severity = severity

// Replace a git URL with a CocoaPods package name in a Swift vulnerability
Expand Down
15 changes: 15 additions & 0 deletions pkg/vulnsrc/ghsa/ghsa_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,21 @@ func TestVulnSrc_Update(t *testing.T) {
VulnerableVersions: []string{">=0, <3.5.3.1"},
},
},
{
Key: []string{
"advisory-detail",
"CVE-2023-25330",
"maven::GitHub Security Advisory Maven",
"com.baomidou:mybatis-plus-copy",
},
Value: types.Advisory{
VendorIDs: []string{
"GHSA-32qq-m9fh-f74w",
},
PatchedVersions: []string{"3.5.0"},
VulnerableVersions: []string{"<3.5.0"},
},
},
{
Key: []string{
"vulnerability-detail",
Expand Down
22 changes: 22 additions & 0 deletions ...appy/ghsa/advisories/github-reviewed/2023/04/GHSA-32qq-m9fh-f74w/GHSA-32qq-m9fh-f74w.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,28 @@
"database_specific": {
"last_known_affected_version_range": "< 3.5.3.1"
}
},
{
"package": {
"ecosystem": "Maven",
"name": "com.baomidou:mybatis-plus-copy"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.0"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "< 3.5.3.1"
}
}
],
"references": [
Expand Down

0 comments on commit 43d8e84

Please sign in to comment.