From 43d8e8488fe9761b9e843cc7461b666488fdbc35 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Fri, 15 Mar 2024 11:23:01 +0600 Subject: [PATCH] refactor --- pkg/vulnsrc/ghsa/ghsa.go | 65 +++++++++---------- pkg/vulnsrc/ghsa/ghsa_test.go | 15 +++++ .../GHSA-32qq-m9fh-f74w.json | 22 +++++++ 3 files changed, 67 insertions(+), 35 deletions(-) diff --git a/pkg/vulnsrc/ghsa/ghsa.go b/pkg/vulnsrc/ghsa/ghsa.go index d5678ce6..50a56bca 100644 --- a/pkg/vulnsrc/ghsa/ghsa.go +++ b/pkg/vulnsrc/ghsa/ghsa.go @@ -3,7 +3,6 @@ package ghsa import ( "encoding/json" "fmt" - "github.com/samber/lo" "path/filepath" "strings" @@ -95,46 +94,42 @@ func (t *transformer) TransformAdvisories(advisories []osv.Advisory, entry osv.E return nil, xerrors.Errorf("JSON decode error: %w", err) } - for _, affected := range entry.Affected { - // Skip if `affected[].database_specific` field doesn't exist - if affected.DatabaseSpecific == nil { - continue - } + severity := convertSeverity(specific.Severity) + for i, adv := range advisories { + // Add version from `last_known_affected_version_range` field. + // cf. https://github.com/github/advisory-database/issues/470#issuecomment-1998604377 + for _, entryAffected := range entry.Affected { + // Skip if `affected[].database_specific` field doesn't exist + if entryAffected.DatabaseSpecific == nil { + continue + } - ecosystem := osv.ConvertEcosystem(affected.Package.Ecosystem) - if ecosystem == vulnerability.Unknown { - continue - } - pkgName := vulnerability.NormalizePkgName(ecosystem, affected.Package.Name) + var affectedSpecific DatabaseSpecific + if err := json.Unmarshal(entryAffected.DatabaseSpecific, &affectedSpecific); err != nil { + return nil, xerrors.Errorf("JSON decode error: %w", err) + } - var affectedSpecific DatabaseSpecific - if err := json.Unmarshal(affected.DatabaseSpecific, &affectedSpecific); err != nil { - return nil, xerrors.Errorf("JSON decode error: %w", err) - } + entryEcosystem := osv.ConvertEcosystem(entryAffected.Package.Ecosystem) + entryPkgName := vulnerability.NormalizePkgName(entryEcosystem, entryAffected.Package.Name) - // Add version from `last_known_affected_version_range` field - // cf. https://github.com/github/advisory-database/issues/470#issuecomment-1998604377 - advisories = lo.Map(advisories, func(adv osv.Advisory, _ int) osv.Advisory { - if adv.PkgName == pkgName && adv.Ecosystem == ecosystem { - for i, vulnVersion := range adv.VulnerableVersions { - // Skip next cases: - // - vulnerability version range is single version (`=` is used) - // - vulnerability version range already contains fixed/affected version (`<`/`<=` is used) - if !strings.Contains(vulnVersion, "<") && !strings.HasPrefix(vulnVersion, "=") { - // `last_known_affected_version_range` uses `< version` or `<= version` formats (e.g. `< 1.2.3` or `<= 1.2.3`). - // Remove space to fit our format. - affectedSpecific.LastKnownAffectedVersionRange = strings.ReplaceAll(affectedSpecific.LastKnownAffectedVersionRange, " ", "") - adv.VulnerableVersions[i] = fmt.Sprintf("%s, %s", vulnVersion, affectedSpecific.LastKnownAffectedVersionRange) - break - } + if adv.PkgName != entryPkgName || adv.Ecosystem != entryEcosystem { + continue + } + + for j, vulnVersion := range adv.VulnerableVersions { + // `fixed` and `last_affected` fields (`<`,`<=` or `=` is used) have high priority then `last_known_affected_version_range`. + if strings.Contains(vulnVersion, "<") || strings.HasPrefix(vulnVersion, "=") { + continue } + + // `last_known_affected_version_range` uses `< version` or `<= version` formats (e.g. `< 1.2.3` or `<= 1.2.3`). + // Remove space to fit our format. + affectedSpecific.LastKnownAffectedVersionRange = strings.ReplaceAll(affectedSpecific.LastKnownAffectedVersionRange, " ", "") + advisories[i].VulnerableVersions[j] = fmt.Sprintf("%s, %s", vulnVersion, affectedSpecific.LastKnownAffectedVersionRange) } - return adv - }) - } + } - severity := convertSeverity(specific.Severity) - for i, adv := range advisories { + // Fill severity from advisories[i].Severity = severity // Replace a git URL with a CocoaPods package name in a Swift vulnerability diff --git a/pkg/vulnsrc/ghsa/ghsa_test.go b/pkg/vulnsrc/ghsa/ghsa_test.go index 71508ca8..df0cbf32 100644 --- a/pkg/vulnsrc/ghsa/ghsa_test.go +++ b/pkg/vulnsrc/ghsa/ghsa_test.go @@ -98,6 +98,21 @@ func TestVulnSrc_Update(t *testing.T) { VulnerableVersions: []string{">=0, <3.5.3.1"}, }, }, + { + Key: []string{ + "advisory-detail", + "CVE-2023-25330", + "maven::GitHub Security Advisory Maven", + "com.baomidou:mybatis-plus-copy", + }, + Value: types.Advisory{ + VendorIDs: []string{ + "GHSA-32qq-m9fh-f74w", + }, + PatchedVersions: []string{"3.5.0"}, + VulnerableVersions: []string{"<3.5.0"}, + }, + }, { Key: []string{ "vulnerability-detail", diff --git a/pkg/vulnsrc/ghsa/testdata/happy/ghsa/advisories/github-reviewed/2023/04/GHSA-32qq-m9fh-f74w/GHSA-32qq-m9fh-f74w.json b/pkg/vulnsrc/ghsa/testdata/happy/ghsa/advisories/github-reviewed/2023/04/GHSA-32qq-m9fh-f74w/GHSA-32qq-m9fh-f74w.json index e68ed8d8..75beaab5 100644 --- a/pkg/vulnsrc/ghsa/testdata/happy/ghsa/advisories/github-reviewed/2023/04/GHSA-32qq-m9fh-f74w/GHSA-32qq-m9fh-f74w.json +++ b/pkg/vulnsrc/ghsa/testdata/happy/ghsa/advisories/github-reviewed/2023/04/GHSA-32qq-m9fh-f74w/GHSA-32qq-m9fh-f74w.json @@ -33,6 +33,28 @@ "database_specific": { "last_known_affected_version_range": "< 3.5.3.1" } + }, + { + "package": { + "ecosystem": "Maven", + "name": "com.baomidou:mybatis-plus-copy" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.5.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 3.5.3.1" + } } ], "references": [