osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

vulnfeeds: detect when version range has introduced > fixed

Open oliverchang opened this issue 4 years ago • 5 comments

For PyPI vulnfeeds, there are some cases of bad data in the form of:

introduced: 1.0
fixed: 1.0b4

Encoded like so, this means that everything after and including 1.0 is affeted (because 1.0b4 comes before 1.0). This should instead be something like

introduced: 1.0a0
fixed: 1.0b4

We need to detect these cases in the vulnfeeds tool.

oliverchang avatar Sep 01 '21 08:09 oliverchang

Another potential case to flag: https://github.com/pypa/advisory-db/commit/b9996079edcc5585cd3a0828d4347d974f5f7ac6

oliverchang avatar Sep 17 '21 06:09 oliverchang

To help with prioritisation, does this code get used by anything currently?

andrewpollock avatar Oct 18 '22 01:10 andrewpollock

Yes, this is used by the PyPI database for auto-ingestion.

oliverchang avatar Oct 24 '22 05:10 oliverchang

This is blocked on there being Go code to do Python version comparison

andrewpollock avatar Nov 07 '22 04:11 andrewpollock

If we have that, then we'd add a check here: https://github.com/google/osv.dev/blob/85e7db46f2bea3fbfa4ea939e0f123ff5ec1a36a/vulnfeeds/cves/versions.go#L224,

And append a note if we detect that introduced > fixed.

oliverchang avatar Nov 07 '22 05:11 oliverchang