refactor

Signed-off-by: knqyf263 <[email protected]>
aquasecurity · Apr 1, 2024 · 720537e · 720537e
1 parent 43d8e84
commit 720537e
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 34 deletions.
diff --git a/pkg/vulnsrc/ghsa/ghsa.go b/pkg/vulnsrc/ghsa/ghsa.go
@@ -96,40 +96,12 @@ func (t *transformer) TransformAdvisories(advisories []osv.Advisory, entry osv.E
 
 	severity := convertSeverity(specific.Severity)
 	for i, adv := range advisories {
-		// Add version from `last_known_affected_version_range` field.
-		// cf. https://github.com/github/advisory-database/issues/470#issuecomment-1998604377
-		for _, entryAffected := range entry.Affected {
-			// Skip if `affected[].database_specific` field doesn't exist
-			if entryAffected.DatabaseSpecific == nil {
-				continue
-			}
-
-			var affectedSpecific DatabaseSpecific
-			if err := json.Unmarshal(entryAffected.DatabaseSpecific, &affectedSpecific); err != nil {
-				return nil, xerrors.Errorf("JSON decode error: %w", err)
-			}
-
-			entryEcosystem := osv.ConvertEcosystem(entryAffected.Package.Ecosystem)
-			entryPkgName := vulnerability.NormalizePkgName(entryEcosystem, entryAffected.Package.Name)
-
-			if adv.PkgName != entryPkgName || adv.Ecosystem != entryEcosystem {
-				continue
-			}
-
-			for j, vulnVersion := range adv.VulnerableVersions {
-				// `fixed` and `last_affected` fields (`<`,`<=` or `=` is used) have high priority then `last_known_affected_version_range`.
-				if strings.Contains(vulnVersion, "<") || strings.HasPrefix(vulnVersion, "=") {
-					continue
-				}
-
-				// `last_known_affected_version_range` uses `< version` or `<= version` formats (e.g. `< 1.2.3` or `<= 1.2.3`).
-				// Remove space to fit our format.
-				affectedSpecific.LastKnownAffectedVersionRange = strings.ReplaceAll(affectedSpecific.LastKnownAffectedVersionRange, " ", "")
-				advisories[i].VulnerableVersions[j] = fmt.Sprintf("%s, %s", vulnVersion, affectedSpecific.LastKnownAffectedVersionRange)
-			}
+		// Parse database_specific
+		if err := parseDatabaseSpecific(adv); err != nil {
+			return nil, xerrors.Errorf("failed to parse database specific: %w", err)
 		}
 
-		// Fill severity from
+		// Fill severity from GHSA
 		advisories[i].Severity = severity
 
 		// Replace a git URL with a CocoaPods package name in a Swift vulnerability
@@ -147,6 +119,33 @@ func (t *transformer) TransformAdvisories(advisories []osv.Advisory, entry osv.E
 	return advisories, nil
 }
 
+// parseDatabaseSpecific adds a version from the last_known_affected_version_range field
+// cf. https://github.com/github/advisory-database/issues/470#issuecomment-1998604377
+func parseDatabaseSpecific(advisory osv.Advisory) error {
+	// Skip if the `affected[].database_specific` field doesn't exist
+	if advisory.DatabaseSpecific == nil {
+		return nil
+	}
+
+	var affectedSpecific DatabaseSpecific
+	if err := json.Unmarshal(advisory.DatabaseSpecific, &affectedSpecific); err != nil {
+		return xerrors.Errorf("JSON decode error: %w", err)
+	}
+
+	for i, vulnVersion := range advisory.VulnerableVersions {
+		// The fixed and last_affected fields (which use <, <=, or =) take precedence over
+		// the last_known_affected_version_range field.
+		if strings.Contains(vulnVersion, "<") || strings.HasPrefix(vulnVersion, "=") {
+			continue
+		}
+		// `last_known_affected_version_range` uses `< version` or `<= version` formats (e.g. `< 1.2.3` or `<= 1.2.3`).
+		// Remove spaces to match our format
+		verRange := strings.ReplaceAll(affectedSpecific.LastKnownAffectedVersionRange, " ", "")
+		advisory.VulnerableVersions[i] = fmt.Sprintf("%s, %s", vulnVersion, verRange)
+	}
+	return nil
+}
+
 func convertSeverity(severity string) types.Severity {
 	switch severity {
 	case "LOW":

diff --git a/pkg/vulnsrc/osv/osv.go b/pkg/vulnsrc/osv/osv.go
@@ -40,6 +40,9 @@ type Advisory struct {
 	References   []string
 	CVSSScoreV3  float64
 	CVSSVectorV3 string
+
+	// From affected[].database_specific
+	DatabaseSpecific json.RawMessage
 }
 
 type OSV struct {
@@ -212,7 +215,7 @@ func parseAffected(entry Entry, vulnIDs, aliases, references []string) ([]Adviso
 
 	uniqAdvisories := map[string]Advisory{}
 	for _, affected := range entry.Affected {
-		ecosystem := ConvertEcosystem(affected.Package.Ecosystem)
+		ecosystem := convertEcosystem(affected.Package.Ecosystem)
 		if ecosystem == vulnerability.Unknown {
 			continue
 		}
@@ -252,6 +255,7 @@ func parseAffected(entry Entry, vulnIDs, aliases, references []string) ([]Adviso
 					References:         references,
 					CVSSVectorV3:       cvssVectorV3,
 					CVSSScoreV3:        cvssScoreV3,
+					DatabaseSpecific:   affected.DatabaseSpecific,
 				}
 			}
 		}
@@ -334,7 +338,7 @@ func parseSeverity(severities []Severity) (string, float64, error) {
 	return "", 0, nil
 }
 
-func ConvertEcosystem(eco Ecosystem) types.Ecosystem {
+func convertEcosystem(eco Ecosystem) types.Ecosystem {
 	// cf. https://ossf.github.io/osv-schema/#affectedpackage-field
 	switch strings.ToLower(string(eco)) {
 	case "go":