-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osv: account for event objects that have multiple streams #1428
base: main
Are you sure you want to change the base?
Conversation
f1e69c0
to
d9b0770
Compare
It was discovered that some OSV documents can order minor releases in the same affected.ranges object. This meant that only ever counted the last range in a vulnerability. This change gathers range information for the affected product and creates a vulnerability per range. Signed-off-by: crozzy <[email protected]>
d9b0770
to
6fea4d4
Compare
Example ranges from an OSV document. "ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.12"
},
{
"introduced": "1.22.0-0"
},
{
"fixed": "1.22.5"
}
]
}
], |
case ev.Introduced == "0": // -Inf | ||
v.Range.Lower.Kind = `semver` | ||
case ev.Introduced != "" && seenIntroduced: | ||
vs = &rangeVer{rng: &claircore.Range{}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we are assuming it's well-formed (introduced, fixed, introduced, fixed, etc), then I think we can just do vs = &rangeVer{rng: &claircore.Range{}}
unconditionally within case ev.Introduced
and don't need the if ie == len(r.Events)-1
below. What do you think?
@@ -554,24 +558,40 @@ func (e *ecs) Insert(ctx context.Context, skipped *stats, name string, a *adviso | |||
} | |||
// This does some heavy assumptions about valid inputs. | |||
ranges := make(url.Values) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this need the same kind of treatment?
It was discovered that some OSV documents can order minor releases in the same affected.ranges object. This meant that only ever counted the last range in a vulnerability. This change gathers range information for the affected product and creates a vulnerability per range.