diff --git a/gcp/workers/importer/importer.py b/gcp/workers/importer/importer.py index d7a57d1a1d8..afaf6e927b8 100755 --- a/gcp/workers/importer/importer.py +++ b/gcp/workers/importer/importer.py @@ -176,22 +176,6 @@ def _git_callbacks(self, source_repo): self._ssh_key_public_path, self._ssh_key_private_path) - def _request_analysis(self, bug, source_repo, repo): - """Request analysis.""" - if bug.source_of_truth == osv.SourceOfTruth.SOURCE_REPO: - path = osv.source_path(source_repo, bug) - file_path = os.path.join(osv.repo_path(repo), path) - if not os.path.exists(file_path): - logging.info( - 'Skipping analysis for %s as the source file no longer exists.', - path) - return - - original_sha256 = osv.sha256(file_path) - self._request_analysis_external(source_repo, original_sha256, path) - else: - self._request_internal_analysis(bug) - def _request_analysis_external(self, source_repo, original_sha256, @@ -229,7 +213,7 @@ def _request_internal_analysis(self, bug): req_timestamp=str(int(time.time()))) def _infer_id_from_invalid_data(self, name: str, content: bytes) -> str: - """Best effort infer the bug ID for data that failed to parse. + """Best effort infer the vulnerability ID for data that failed to parse. First try and extract something that looks like an "id" field, and failing that, try to infer from the filename. @@ -315,84 +299,6 @@ def checkout(self, source_repo): git_callbacks=self._git_callbacks(source_repo), branch=source_repo.repo_branch) - def import_new_oss_fuzz_entries(self, repo, oss_fuzz_source): - """Import new entries.""" - exported = [] - for bug in osv.Bug.query( - osv.Bug.source_of_truth == osv.SourceOfTruth.INTERNAL): - if bug.status != osv.BugStatus.PROCESSED: - continue - - if not bug.public: - continue - - # We don't index this as INTERNAL generally implies OSS-Fuzz anyway (at - # time of writing). - source_name, _ = osv.parse_source_id(bug.source_id) - if source_name != oss_fuzz_source.name: - continue - - vulnerability_path = os.path.join( - osv.repo_path(repo), osv.source_path(oss_fuzz_source, bug)) - os.makedirs(os.path.dirname(vulnerability_path), exist_ok=True) - if os.path.exists(vulnerability_path): - continue - - logging.info('Writing %s', bug.key.id()) - osv.write_vulnerability(bug.to_vulnerability(), vulnerability_path) - # The source of truth is now this yaml file. - bug.source_of_truth = osv.SourceOfTruth.SOURCE_REPO - exported.append(bug) - - # Commit Vulnerability changes back to the oss-fuzz source repository. - repo.index.add_all() - diff = repo.index.diff_to_tree(repo.head.peel().tree) - if not diff: - logging.info('No new entries, skipping committing.') - return - - logging.info('Committing and pushing new entries') - if osv.push_source_changes(repo, 'Import from OSS-Fuzz', - self._git_callbacks(oss_fuzz_source)): - ndb.put_multi(exported) - - def schedule_regular_updates(self, repo, source_repo: osv.SourceRepository): - """Schedule regular updates.""" - aest_time_now = aestnow() - - if (source_repo.last_update_date and - # OSV devs are mostly located in australia, - # so only schedule update near midnight sydney time - source_repo.last_update_date.date() >= aest_time_now.date()): - return - - for bug in osv.Bug.query( - osv.Bug.status == osv.BugStatus.PROCESSED, - osv.Bug.is_fixed == False, # pylint: disable=singleton-comparison - osv.Bug.source == source_repo.name): - self._request_analysis(bug, source_repo, repo) - - # yapf: disable - # Perform a re-analysis on existing oss-fuzz bugs for a period of time, - # more vulnerable releases might be made even though fixes have - # already been merged into master/main - cutoff_time = aest_time_now - datetime.timedelta(days=_BUG_REDO_DAYS) - query = osv.Bug.query(osv.Bug.status == osv.BugStatus.PROCESSED, - osv.Bug.source == source_repo.name, - osv.Bug.timestamp >= cutoff_time) - # yapf: enable - - for bug in query: - logging.info('Re-requesting impact for %s.', bug.key.id()) - if not bug.is_fixed: - # Previous query already requested impact tasks for unfixed bugs. - continue - - self._request_analysis(bug, source_repo, repo) - - source_repo.last_update_date = aest_time_now - source_repo.put() - def _vuln_ids_from_gcs_blob(self, client: storage.Client, source_repo: osv.SourceRepository, blob: storage.Blob) -> Optional[Tuple[str]]: @@ -524,10 +430,10 @@ def _convert_blob_to_vuln( # This is the typical execution path (when reimporting not triggered) with ndb_ctx: for vuln in vulns: - bug = osv.Bug.get_by_id(vuln.id) - # The bug already exists and has been modified since last import - if (bug is None or - bug.import_last_modified != vuln.modified.ToDatetime(datetime.UTC)): + v = osv.Vulnerability.get_by_id(vuln.id) + # The vuln already exists and has been modified since last import + if (v is None or + v.modified_raw != vuln.modified.ToDatetime(datetime.UTC)): return blob_hash, blob.name, blob.updated, vulns return None @@ -633,9 +539,9 @@ def _process_updates_git(self, source_repo: osv.SourceRepository): logging.error('Failed to parse %s: %s', changed_entry, str(e)) with open(path, "rb") as f: content = f.read() - bug_id = self._infer_id_from_invalid_data( + vuln_id = self._infer_id_from_invalid_data( os.path.basename(path), content) - self._record_quality_finding(source_repo.name, bug_id) + self._record_quality_finding(source_repo.name, vuln_id) # Don't include error stack trace as that might leak sensitive info import_failure_logs.append('Failed to parse vulnerability "' + path + '"') @@ -728,9 +634,9 @@ def _process_updates_bucket(self, source_repo: osv.SourceRepository): logging.error('Failed to parse vulnerability %s: %s', blob.name, e) # TODO(apollock): log finding here # This feels gross to redownload it again. - bug_id = self._infer_id_from_invalid_data(blob.name, - blob.download_as_bytes()) - self._record_quality_finding(source_repo.name, bug_id) + vuln_id = self._infer_id_from_invalid_data(blob.name, + blob.download_as_bytes()) + self._record_quality_finding(source_repo.name, vuln_id) import_failure_logs.append( 'Failed to parse vulnerability (when considering for import) "' + blob.name + '"') @@ -763,10 +669,10 @@ def _process_deletions_bucket(self, threshold: float = 10.0): """Process deletions from a GCS bucket source. - This validates the continued existence of every Bug in Datastore (for the - given source) against every bug currently in that source's GCS bucket, - calculating the delta. The bugs determined to have been - deleted from GCS are then flagged for treatment by the worker. + This validates the continued existence of every Vulnerability in Datastore + (for the given source) against every vulnerability currently in that + source's GCS bucket, calculating the delta. The vulnerabilities determined + to have been deleted from GCS are then flagged for treatment by the worker. If the delta is too large, something undesirable has been assumed to have happened and further processing is aborted. @@ -778,22 +684,24 @@ def _process_deletions_bucket(self, logging.info('Begin processing bucket for deletions: %s', source_repo.name) - # Get all the existing non-withdrawn Bug IDs for + # Get all the existing non-withdrawn Vulnerability IDs for # source_repo.name in Datastore - query = osv.Bug.query() - query = query.filter(osv.Bug.source == source_repo.name) + query = osv.Vulnerability.query() + # everything with source_id starting with 'name:' + query = query.filter(osv.Vulnerability.source_id > source_repo.name + ':', + osv.Vulnerability.source_id < source_repo.name + ';') result = list(query.fetch(keys_only=False)) - result.sort(key=lambda r: r.id()) + result.sort(key=lambda r: r.key.id()) VulnAndSource = namedtuple('VulnAndSource', ['id', 'path']) logging.info('Retrieved %s results from query', len(result)) vuln_ids_for_source = [ - VulnAndSource(id=r.id(), path=r.source_id.partition(':')[2]) + VulnAndSource(id=r.key.id(), path=r.source_id.partition(':')[2]) for r in result - if not r.withdrawn + if not r.is_withdrawn ] logging.info( - 'Counted %d Bugs for %s in Datastore', + 'Counted %d Vulnerabilities for %s in Datastore', len(vuln_ids_for_source), source_repo.name, extra={ @@ -854,11 +762,13 @@ def _process_deletions_bucket(self, v for v in vuln_ids_for_source if v.id not in vuln_ids_in_gcs ] - logging.info('%d Bugs in Datastore considered deleted from GCS for %s', - len(vulns_to_delete), source_repo.name) + logging.info( + '%d Vulnerabilities in Datastore considered deleted from GCS for %s', + len(vulns_to_delete), source_repo.name) if len(vulns_to_delete) == 0: - logging.info('No bugs to delete from GCS for %s', source_repo.name) + logging.info('No vulnerabilities to delete from GCS for %s', + source_repo.name) replace_importer_log(storage_client, source_repo.name, self._public_log_bucket, import_failure_logs) return @@ -985,10 +895,10 @@ def _process_updates_rest(self, source_repo: osv.SourceRepository): except Exception as e: logging.error('Failed to parse %s: %s', str(single_vuln.content), str(e)) - bug_id = self._infer_id_from_invalid_data( + vuln_id = self._infer_id_from_invalid_data( source_repo.link + vuln.id + source_repo.extension, single_vuln.content) - self._record_quality_finding(source_repo.name, bug_id) + self._record_quality_finding(source_repo.name, vuln_id) continue ts = None if ignore_last_import else vuln_modified @@ -1025,10 +935,11 @@ def _process_deletions_rest(self, threshold: float = 10.0): """Process deletions from a REST bucket source. - This validates the continued existence of every Bug in Datastore (for the - given source) against every bug currently in that source's REST API, - calculating the delta. The bugs determined to have been - deleted from the REST API are then flagged for treatment by the worker. + This validates the continued existence of every Vulnerability in Datastore + (for the given source) against every vulnerability currently in that + source's REST API, calculating the delta. The vulnerabilities determined + to have been deleted from the REST API are then flagged for treatment by + the worker. If the number of deletions exceeds the safety threshold (default 10%), the operation is aborted unless ignore_deletion_threshold is set on the @@ -1036,22 +947,24 @@ def _process_deletions_rest(self, """ logging.info('Begin processing REST for deletions: %s', source_repo.name) - # Get all the existing non-withdrawn Bug IDs for + # Get all the existing non-withdrawn Vulnerability IDs for # source_repo.name in Datastore - query = osv.Bug.query() - query = query.filter(osv.Bug.source == source_repo.name) + query = osv.Vulnerability.query() + # everything with source_id starting with 'name:' + query = query.filter(osv.Vulnerability.source_id > source_repo.name + ':', + osv.Vulnerability.source_id < source_repo.name + ';') result = list(query.fetch(keys_only=False)) - result.sort(key=lambda r: r.id()) + result.sort(key=lambda r: r.key.id()) VulnAndSource = namedtuple('VulnAndSource', ['id', 'path']) logging.info('Retrieved %s results from query', len(result)) vuln_ids_for_source = [ - VulnAndSource(id=r.id(), path=r.source_id.partition(':')[2]) + VulnAndSource(id=r.key.id(), path=r.source_id.partition(':')[2]) for r in result - if not r.withdrawn + if not r.is_withdrawn ] logging.info( - 'Counted %d Bugs for %s in Datastore', + 'Counted %d Vulnerabilities for %s in Datastore', len(vuln_ids_for_source), source_repo.name, extra={ @@ -1097,11 +1010,13 @@ def _process_deletions_rest(self, v for v in vuln_ids_for_source if v.id not in vuln_ids_in_rest ] - logging.info('%d Bugs in Datastore considered deleted from REST for %s', - len(vulns_to_delete), source_repo.name) + logging.info( + '%d Vulnerabilities in Datastore considered deleted from REST for %s', + len(vulns_to_delete), source_repo.name) if len(vulns_to_delete) == 0: - logging.info('No bugs to delete from REST for %s', source_repo.name) + logging.info('No vulnerabilities to delete from REST for %s', + source_repo.name) return # sanity check: deleting a lot/all of the records for source in Datastore is @@ -1168,50 +1083,6 @@ def process_deletions(self, source_repo: osv.SourceRepository): logging.error('Invalid repo type: %s - %d', source_repo.name, source_repo.type) - def process_oss_fuzz(self, oss_fuzz_source): - """Process OSS-Fuzz source data.""" - # Export OSS-Fuzz Vulnerability data into source repository. - # OSS-Fuzz data is first imported via a special Pub/Sub pipeline into OSV. - # This data needs to be dumped into a publicly accessible/editable place for - # manual/human editing if required. - # - # This then becomes the source of truth where any edits are imported back - # into OSV. - repo = self.checkout(oss_fuzz_source) - self.schedule_regular_updates(repo, oss_fuzz_source) - self.import_new_oss_fuzz_entries(repo, oss_fuzz_source) - self.export_oss_fuzz_to_bucket() - - def export_oss_fuzz_to_bucket(self): - """Export OSS-Fuzz vulns to bucket.""" - storage_client = storage.Client() - bucket = storage_client.get_bucket(self._oss_fuzz_export_bucket) - - def export_oss_fuzz(vulnerability, testcase_id, issue_id): - """Export a single vulnerability.""" - try: - blob = bucket.blob(f'testcase/{testcase_id}.json') - data = json.dumps(osv.vulnerability_to_dict(vulnerability)) - blob.upload_from_string(data, retry=retry.DEFAULT_RETRY) - - if not issue_id: - return - - blob = bucket.blob(f'issue/{issue_id}.json') - blob.upload_from_string(data, retry=retry.DEFAULT_RETRY) - except Exception as e: - logging.error('Failed to export: %s', e) - - with concurrent.futures.ThreadPoolExecutor( - max_workers=_EXPORT_WORKERS) as executor: - for bug in osv.Bug.query(osv.Bug.ecosystem == 'OSS-Fuzz'): - if not bug.public: - continue - - _, source_id = osv.parse_source_id(bug.source_id) - executor.submit(export_oss_fuzz, bug.to_vulnerability(), source_id, - bug.issue_id) - def preprocess_vuln(vuln: vulnerability_pb2.Vulnerability): """Do preprocessing steps on vulnerability that the worker does.""" @@ -1360,6 +1231,7 @@ def put_if_newer_batch( """ # TODO(michaelkedar): Putting so many records is causing slowdowns on the # importer, need to reconsider the approach. + # TODO(michaelkedar): This code is still using old Bug entities. return # pylint: disable=unreachable if not vulns_and_paths: diff --git a/gcp/workers/importer/importer_test.py b/gcp/workers/importer/importer_test.py index fc2197d8c55..ca50cee6c76 100644 --- a/gcp/workers/importer/importer_test.py +++ b/gcp/workers/importer/importer_test.py @@ -119,45 +119,6 @@ def test_nop(self, mock_publish: mock.MagicMock): mock_publish.assert_not_called() - @mock.patch('google.cloud.pubsub_v1.PublisherClient.publish') - def test_scheduled_updates_already_done(self, mock_publish): # pylint: disable=unused-argument - """Scheduled updates already done.""" - # TODO(michaelkedar): This test doesn't check anything - self.skipTest("Not Implemented") - source_repo = osv.SourceRepository.get_by_id('oss-fuzz') - source_repo.last_update_date = importer.utcnow() - source_repo.put() - - self.mock_repo.add_file('proj/OSV-2021-1337.yaml', _MIN_VALID_VULNERABILITY) - self.mock_repo.commit('OSV', 'infra@osv.dev') - osv.Bug( - db_id='OSV-2021-1337', - project=['proj'], - fixed='', - status=1, - source_id='oss-fuzz:123', - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - timestamp=datetime.datetime( - 2020, 1, 1, 0, 0, 0, 0, tzinfo=datetime.UTC)).put() - - imp = importer.Importer('fake_public_key', 'fake_private_key', self.tmp_dir, - importer.DEFAULT_PUBLIC_LOGGING_BUCKET, 'bucket', - True, False) - imp.run() - - @mock.patch('google.cloud.pubsub_v1.PublisherClient.publish') - def test_no_updates(self, mock_publish): # pylint: disable=unused-argument - """Test no update marker.""" - # TODO(michaelkedar): This test doesn't check anything - self.skipTest("Not Implemented") - self.mock_repo.add_file('2021-111.yaml', _MIN_VALID_VULNERABILITY) - self.mock_repo.commit('User', 'user@email', 'message. OSV-NO-UPDATE') - - imp = importer.Importer('fake_public_key', 'fake_private_key', self.tmp_dir, - importer.DEFAULT_PUBLIC_LOGGING_BUCKET, 'bucket', - True, False) - imp.run() - @mock.patch('google.cloud.pubsub_v1.PublisherClient.publish') def test_ignore(self, mock_publish): # pylint: disable=unused-argument """Test ignoring.""" diff --git a/gcp/workers/mock_test/rest_test.json b/gcp/workers/mock_test/rest_test.json index ed751f8290e..a01a19febbd 100644 --- a/gcp/workers/mock_test/rest_test.json +++ b/gcp/workers/mock_test/rest_test.json @@ -3384,259 +3384,5 @@ } ], "details": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback\n(`CURLOPT_READFUNCTION`) to ask for data to send, even when the\n`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was\nused to issue a `PUT` request which used that callback.\n\nThis flaw may surprise the application and cause it to misbehave and either\nsend off the wrong data or use memory after free or similar in the subsequent\n`POST` request.\n\nThe problem exists in the logic for a reused handle when it is changed from a\nPUT to a POST." - }, -{ - "schema_version": "1.6.7", - "id": "RHSA-2018:3140", - "related": [ - "CVE-2015-9381", - "CVE-2015-9382", - "CVE-2017-2862", - "CVE-2017-18267", - "CVE-2018-4121", - "CVE-2018-4200", - "CVE-2018-4204", - "CVE-2018-10733", - "CVE-2018-10767", - "CVE-2018-10768", - "CVE-2018-11712", - "CVE-2018-11713", - "CVE-2018-12910", - "CVE-2018-13988", - "CVE-2018-14036" - ], - "published": "2024-09-16T01:35:05Z", - "modified": "2024-09-16T01:35:05Z", - "summary": "Red Hat Security Advisory: GNOME security, bug fix, and enhancement update", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - { - "package": { - "name": "PackageKit", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-command-not-found", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-command-not-found" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-cron", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-cron" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-debuginfo", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-debuginfo" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-glib", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-glib" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-glib-devel", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-glib-devel" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-gstreamer-plugin", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-gstreamer-plugin" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-gtk3-module", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-gtk3-module" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-yum", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-yum" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-yum-plugin", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-yum-plugin" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13988" - }, - { - "type": "REPORT", - "url": "https://access.redhat.com/security/cve/CVE-2018-14036" - }, - { - "type": "REPORT", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601019" - }, - { - "type": "ADVISORY", - "url": "https://www.cve.org/CVERecord?id=CVE-2018-14036" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14036" } - ] -} ] diff --git a/gcp/workers/oss_fuzz_worker/testdata b/gcp/workers/oss_fuzz_worker/testdata deleted file mode 120000 index ded9b9ecca7..00000000000 --- a/gcp/workers/oss_fuzz_worker/testdata +++ /dev/null @@ -1 +0,0 @@ -../worker/testdata/ \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/CVE-2022-27449.json b/gcp/workers/oss_fuzz_worker/testdata/CVE-2022-27449.json new file mode 100644 index 00000000000..3fc80cd9564 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/CVE-2022-27449.json @@ -0,0 +1,138 @@ +{ + "id": "CVE-2022-27449", + "details": "MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_func.cc:148.", + "affected": [ + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.12", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.4.25-r0" + } + ] + } + ] + }, + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.13", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.5.16-r0" + } + ] + } + ] + }, + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.14", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.5.16-r0" + } + ] + } + ] + }, + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.15", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.6.8-r0" + } + ] + } + ] + }, + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.16", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.6.8-r0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "EVIDENCE", + "url": "https://jira.mariadb.org/browse/MDEV-28089" + }, + { + "type": "REPORT", + "url": "https://jira.mariadb.org/browse/MDEV-28089" + }, + { + "type": "FIX", + "url": "https://jira.mariadb.org/browse/MDEV-28089" + }, + { + "type": "WEB", + "url": "https://jira.mariadb.org/browse/MDEV-28089" + }, + { + "type": "ADVISORY", + "url": "https://security.netapp.com/advisory/ntap-20220526-0006/" + }, + { + "type": "ARTICLE", + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html" + } + ], + "modified": "2022-10-07T18:59:00Z", + "published": "2022-04-14T13:15:00Z" +} diff --git a/gcp/workers/oss_fuzz_worker/testdata/DSA-3029-1.json b/gcp/workers/oss_fuzz_worker/testdata/DSA-3029-1.json new file mode 100644 index 00000000000..1b732107b57 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/DSA-3029-1.json @@ -0,0 +1,37 @@ +{ + "id": "DSA-3029-1", + "summary": "nginx - security update", + "affected": [ + { + "package": { + "ecosystem": "Debian:7", + "name": "nginx" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.1-2.2+wheezy3" + } + ] + } + ] + } + ], + "aliases": [ + "CVE-2014-3616" + ], + "published": "2014-09-20T00:00:00Z", + "modified": "2014-09-20T08:18:07Z", + "details": "\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was\npossible to reuse cached SSL sessions in unrelated contexts, allowing\nvirtual host confusion attacks in some configurations by an attacker in\na privileged network position.\n\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.1-2.2+wheezy3.\n\n\nFor the testing distribution (jessie), this problem has been fixed in\nversion 1.6.2-1.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.6.2-1.\n\n\nWe recommend that you upgrade your nginx packages.\n\n\n", + "references": [ + { + "type": "ADVISORY", + "url": "https://www.debian.org/security/2014/dsa-3029" + } + ] +} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/GHSA-838r-hvwh-24h8.json b/gcp/workers/oss_fuzz_worker/testdata/GHSA-838r-hvwh-24h8.json new file mode 100644 index 00000000000..13e8570e573 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/GHSA-838r-hvwh-24h8.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-838r-hvwh-24h8", + "modified": "2021-09-24T13:10:05Z", + "published": "2021-09-13T20:06:31Z", + "aliases": [ + "CVE-2021-38555" + ], + "summary": "XML Injection in Any23", + "details": "An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.any23:apache-any23" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38555" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/any23" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2021-09-13T19:31:01Z", + "nvd_published_at": "2021-09-11T11:15:00Z" + } +} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/GSD-123.yaml b/gcp/workers/oss_fuzz_worker/testdata/GSD-123.yaml new file mode 100644 index 00000000000..ae7ed14ddec --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/GSD-123.yaml @@ -0,0 +1,19 @@ +id: GSD-123 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: Kernel + ecosystem: Linux + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_basic.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_basic.txt new file mode 100644 index 00000000000..709e2d6633b --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_basic.txt @@ -0,0 +1,64 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_fixed_range_too_long.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_fixed_range_too_long.txt new file mode 100644 index 00000000000..c6d4f3f9a6b --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_fixed_range_too_long.txt @@ -0,0 +1,62 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '0-2', '1'], + 'affected_packages': [ { 'database_specific': { 'fixed_range': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd:b587c21c36a84e16cfc6b39eb68578d43b5281ad'}, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': 'b587c21c36a84e16cfc6b39eb68578d43b5281ad'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch-v0.1.1-with-fix', + 'branch_1_cherrypick_regress', + 'v0.1.1', + 'v0.2']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd:b587c21c36a84e16cfc6b39eb68578d43b5281ad', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_not_fixed.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_not_fixed.txt new file mode 100644 index 00000000000..e40014229ae --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_not_fixed.txt @@ -0,0 +1,62 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '0-2', '1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch-v0.1.1-with-fix', + 'branch_1_cherrypick_regress', + 'v0.1.1', + 'v0.2']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': False, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_range.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_range.txt new file mode 100644 index 00000000000..301b29f89b8 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_range.txt @@ -0,0 +1,62 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '0-2', '1'], + 'affected_packages': [ { 'database_specific': { 'fixed_range': 'b1c95a196f22d06fcf80df8c6691cd113d8fefff:36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2'}, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch-v0.1.1-with-fix', + 'branch_1_cherrypick_regress', + 'v0.1.1', + 'v0.2']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': 'b1c95a196f22d06fcf80df8c6691cd113d8fefff:36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_simplify_range.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_simplify_range.txt new file mode 100644 index 00000000000..709e2d6633b --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_simplify_range.txt @@ -0,0 +1,64 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_zero_regression_range.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_zero_regression_range.txt new file mode 100644 index 00000000000..a81cf737422 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_zero_regression_range.txt @@ -0,0 +1,60 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '1'], + 'affected_packages': [ { 'database_specific': { 'introduced_range': 'unknown:eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'unknown:eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/LINUX-123.yaml b/gcp/workers/oss_fuzz_worker/testdata/LINUX-123.yaml similarity index 100% rename from gcp/workers/worker/testdata/LINUX-123.yaml rename to gcp/workers/oss_fuzz_worker/testdata/LINUX-123.yaml diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-123.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-123.yaml new file mode 100644 index 00000000000..0d93ff864ce --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-123.yaml @@ -0,0 +1,30 @@ +id: OSV-123 +summary: A vulnerability +details: | + Blah blah blah + Blah +severity: +- type: CVSS_V3 + score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L +credits: +- name: Foo bar + contact: + - mailto:foo@bar.com +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: blah.com/package + ecosystem: Go + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +database_specific: + specific: 1337 +modified: '2020-01-01T00:00:00Z' \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-124.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-124.yaml new file mode 100644 index 00000000000..4d2eedef66a --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-124.yaml @@ -0,0 +1,20 @@ +id: OSV-124 +summary: A vulnerability +details: | + Blah blah blah + Blah +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: blah.com/package + ecosystem: Go + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + versions: + - branch-v0.1.1 +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-125.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-125.yaml new file mode 100644 index 00000000000..1d10d5409df --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-125.yaml @@ -0,0 +1,28 @@ +id: OSV-125 +summary: A vulnerability +details: | + Blah blah blah + Blah +severity: +- type: CVSS_V3 + score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L +affected: +- package: + name: blah.com/package + ecosystem: Go + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + - fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98 + - introduced: febfac1940086bc1f6d3dc33fda0a1d1ba336209 + versions: + - branch-v0.1.1 + - branch_1_cherrypick_regress + - v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-126.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-126.yaml new file mode 100644 index 00000000000..a8ae7ed1e32 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-126.yaml @@ -0,0 +1,21 @@ +id: OSV-126 +summary: A vulnerability +details: | + Blah blah blah + Blah +affected: +- package: + name: blah.com/package + ecosystem: Go + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-127.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-127.yaml new file mode 100644 index 00000000000..a1a76f16f4f --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-127.yaml @@ -0,0 +1,21 @@ +id: OSV-127 +summary: A vulnerability +details: | + Blah blah blah + Blah +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: blah.com/package + ecosystem: Go + versions: + - branch-v0.1.1 + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: '0' + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-128.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-128.yaml new file mode 100644 index 00000000000..9b928c1f457 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-128.yaml @@ -0,0 +1,25 @@ +id: OSV-128 +summary: A vulnerability +details: | + Blah blah blah + Blah +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: grpcio + ecosystem: PyPI + versions: + - branch-v0.1.1 + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: '0' + - limit: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + - type: ECOSYSTEM + events: + - introduced: 1.13.0 + - limit: 1.14.2 +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-129.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-129.yaml new file mode 100644 index 00000000000..d9eb33d1c97 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-129.yaml @@ -0,0 +1,21 @@ +id: OSV-129 +summary: A vulnerability +details: | + Blah blah blah + Blah +affected: +- package: + name: blah.com/package + ecosystem: not a supported ecosystem + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-130.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-130.yaml new file mode 100644 index 00000000000..d2d319bf552 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-130.yaml @@ -0,0 +1,35 @@ +id: OSV-130 +summary: A vulnerability +details: | + Blah blah blah + Blah +affected: +- package: + name: blah.com/package + ecosystem: ecosystem + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +- package: + name: blah.com/package + ecosystem: not a supported ecosystem + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-131.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-131.yaml new file mode 100644 index 00000000000..d62b1b10840 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-131.yaml @@ -0,0 +1,21 @@ +id: OSV-131 +summary: A vulnerability +details: | + Blah blah blah + Blah +affected: +- package: + name: blah.com/package + ecosystem: not a supported ecosystem + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-TEST-last-affected-01.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-TEST-last-affected-01.yaml new file mode 100644 index 00000000000..86e69d4f5d0 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-TEST-last-affected-01.yaml @@ -0,0 +1,16 @@ +id: OSV-TEST-last-affected-01 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - last_affected: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/oss_fuzz_worker/testdata/PYSEC-123.yaml b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-123.yaml new file mode 100644 index 00000000000..40653cf838c --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-123.yaml @@ -0,0 +1,23 @@ +id: PYSEC-123 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: grpcio + ecosystem: PyPI + ranges: + - type: ECOSYSTEM + events: + - introduced: 1.14.2 + - fixed: 1.31.0 + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/oss_fuzz_worker/testdata/PYSEC-124.yaml b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-124.yaml new file mode 100644 index 00000000000..5fc3c832257 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-124.yaml @@ -0,0 +1,18 @@ +id: PYSEC-124 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: grpcio + ecosystem: PyPI + ranges: + - type: ECOSYSTEM + events: + - introduced: 1.14.2 + - last_affected: 1.31.0 diff --git a/gcp/workers/oss_fuzz_worker/testdata/PYSEC-456.yaml b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-456.yaml new file mode 100644 index 00000000000..008c694bf41 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-456.yaml @@ -0,0 +1,23 @@ +id: PYSEC-456 +summary: A vulnerability in an unnormalized package +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: Scrapy + ecosystem: PyPI + ranges: + - type: ECOSYSTEM + events: + - introduced: 1.14.2 + - fixed: 1.31.0 + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/oss_fuzz_worker/testdata/RESTUpdateTest_update_no_introduced.txt b/gcp/workers/oss_fuzz_worker/testdata/RESTUpdateTest_update_no_introduced.txt new file mode 100644 index 00000000000..2c52b812385 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/RESTUpdateTest_update_no_introduced.txt @@ -0,0 +1,427 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '7-10', + '7-10-1', + '7-10-2', + '7-10-3', + '7-10-4', + '7-10-5', + '7-10-6', + '7-10-7', + '7-10-8', + '7-11-0', + '7-11-1', + '7-11-2', + '7-12-0', + '7-12-1', + '7-12-2', + '7-12-3', + '7-13-0', + '7-13-1', + '7-13-2', + '7-14-0', + '7-14-1', + '7-15-0', + '7-15-1', + '7-15-2', + '7-15-3', + '7-15-4', + '7-15-5', + '7-16-0', + '7-16-1', + '7-16-2', + '7-16-3', + '7-16-4', + '7-17-0', + '7-17-1', + '7-18-0', + '7-18-1', + '7-18-2', + '7-19-0', + '7-19-1', + '7-19-2', + '7-19-3', + '7-19-4', + '7-19-5', + '7-19-6', + '7-19-7', + '7-20-0', + '7-20-1', + '7-21-0', + '7-21-1', + '7-21-2', + '7-21-3', + '7-21-4', + '7-21-5', + '7-21-6', + '7-21-7', + '7-22-0', + '7-23-0', + '7-23-1', + '7-24-0', + '7-25-0', + '7-26-0', + '7-27-0', + '7-28-0', + '7-28-1', + '7-29-0', + '7-30-0', + '7-31-0', + '7-32-0', + '7-33-0', + '7-34-0', + '7-35-0', + '7-36-0', + '7-37-0', + '7-37-1', + '7-38-0', + '7-39-0', + '7-40-0', + '7-41-0', + '7-42-0', + '7-42-1', + '7-43-0', + '7-44-0', + '7-45-0', + '7-46-0', + '7-47-0', + '7-47-1', + '7-48-0', + '7-49-0', + '7-49-1', + '7-50-0', + '7-50-1', + '7-50-2', + '7-50-3', + '7-51-0', + '7-52-0', + '7-52-1', + '7-53-0', + '7-53-1', + '7-54-0', + '7-54-1', + '7-55-0', + '7-55-1', + '7-56-0', + '7-56-1', + '7-57-0', + '7-58-0', + '7-59-0', + '7-60-0', + '7-61-0', + '7-61-1', + '7-62-0', + '7-63-0', + '7-64-0', + '7-64-1', + '7-65-0', + '7-65-1', + '7-65-2', + '7-65-3', + '7-66-0', + '7-67-0', + '7-68-0', + '7-69-0', + '7-69-1', + '7-7', + '7-7-1', + '7-7-2', + '7-7-3', + '7-70-0', + '7-71-0', + '7-71-1', + '7-72-0', + '7-73-0', + '7-74-0', + '7-75-0', + '7-76-0', + '7-76-1', + '7-77-0', + '7-78-0', + '7-79-0', + '7-79-1', + '7-8', + '7-8-1', + '7-80-0', + '7-81-0', + '7-82-0', + '7-83-0', + '7-83-1', + '7-84-0', + '7-85-0', + '7-9', + '7-9-1', + '7-9-2', + '7-9-3', + '7-9-4', + '7-9-5', + '7-9-6', + '7-9-7', + '7-9-8'], + 'affected_packages': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'function_hash': '22968065415160735040135778472335782425', + 'length': 58084.0}, + 'id': 'CURL-CVE-2022-32221-9751f04c', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', + 'target': { 'file': 'lib/setopt.c', + 'function': 'Curl_vsetopt'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '73596727404438881622769716353410783065', + '150108665408450698810391826671290668314', + '264542534956227828232279400943172691231', + '248438938282829223471764231064667949049'], + 'threshold': 0.9}, + 'id': 'CURL-CVE-2022-32221-b7951194', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', + 'target': { 'file': 'lib/setopt.c'}}]}, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '7.7'}, + { 'type': 'fixed', + 'value': '7.86.0'}], + 'repo_url': '', + 'type': 'SEMVER'}, + { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '546572da0457f37c698c02d0a08d90fdfcbeedec'}, + { 'type': 'fixed', + 'value': 'a64e3e59938abd7d667e4470a18072a24d7e9de9'}], + 'repo_url': 'https://github.com/curl/curl.git', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ '7.85.0', + '7.84.0', + '7.83.1', + '7.83.0', + '7.82.0', + '7.81.0', + '7.80.0', + '7.79.1', + '7.79.0', + '7.78.0', + '7.77.0', + '7.76.1', + '7.76.0', + '7.75.0', + '7.74.0', + '7.73.0', + '7.72.0', + '7.71.1', + '7.71.0', + '7.70.0', + '7.69.1', + '7.69.0', + '7.68.0', + '7.67.0', + '7.66.0', + '7.65.3', + '7.65.2', + '7.65.1', + '7.65.0', + '7.64.1', + '7.64.0', + '7.63.0', + '7.62.0', + '7.61.1', + '7.61.0', + '7.60.0', + '7.59.0', + '7.58.0', + '7.57.0', + '7.56.1', + '7.56.0', + '7.55.1', + '7.55.0', + '7.54.1', + '7.54.0', + '7.53.1', + '7.53.0', + '7.52.1', + '7.52.0', + '7.51.0', + '7.50.3', + '7.50.2', + '7.50.1', + '7.50.0', + '7.49.1', + '7.49.0', + '7.48.0', + '7.47.1', + '7.47.0', + '7.46.0', + '7.45.0', + '7.44.0', + '7.43.0', + '7.42.1', + '7.42.0', + '7.41.0', + '7.40.0', + '7.39.0', + '7.38.0', + '7.37.1', + '7.37.0', + '7.36.0', + '7.35.0', + '7.34.0', + '7.33.0', + '7.32.0', + '7.31.0', + '7.30.0', + '7.29.0', + '7.28.1', + '7.28.0', + '7.27.0', + '7.26.0', + '7.25.0', + '7.24.0', + '7.23.1', + '7.23.0', + '7.22.0', + '7.21.7', + '7.21.6', + '7.21.5', + '7.21.4', + '7.21.3', + '7.21.2', + '7.21.1', + '7.21.0', + '7.20.1', + '7.20.0', + '7.19.7', + '7.19.6', + '7.19.5', + '7.19.4', + '7.19.3', + '7.19.2', + '7.19.1', + '7.19.0', + '7.18.2', + '7.18.1', + '7.18.0', + '7.17.1', + '7.17.0', + '7.16.4', + '7.16.3', + '7.16.2', + '7.16.1', + '7.16.0', + '7.15.5', + '7.15.4', + '7.15.3', + '7.15.2', + '7.15.1', + '7.15.0', + '7.14.1', + '7.14.0', + '7.13.2', + '7.13.1', + '7.13.0', + '7.12.3', + '7.12.2', + '7.12.1', + '7.12.0', + '7.11.2', + '7.11.1', + '7.11.0', + '7.10.8', + '7.10.7', + '7.10.6', + '7.10.5', + '7.10.4', + '7.10.3', + '7.10.2', + '7.10.1', + '7.10', + '7.9.8', + '7.9.7', + '7.9.6', + '7.9.5', + '7.9.4', + '7.9.3', + '7.9.2', + '7.9.1', + '7.9', + '7.8.1', + '7.8', + '7.7.3', + '7.7.2', + '7.7.1', + '7.7']}], + 'aliases': ['CVE-2022-32221'], + 'credits': [ {'contact': [], 'name': 'Robby Simpson', 'type': 'FINDER'}, + { 'contact': [], + 'name': 'Daniel Stenberg', + 'type': 'REMEDIATION_DEVELOPER'}], + 'database_specific': { 'CWE': { 'desc': 'Expected Behavior Violation', + 'id': 'CWE-440'}, + 'URL': 'https://curl.se/docs/CVE-2022-32221.json', + 'award': {'amount': '2400', 'currency': 'USD'}, + 'issue': 'https://hackerone.com/reports/1704017', + 'last_affected': '7.85.0', + 'package': 'curl', + 'severity': 'Medium', + 'www': 'https://curl.se/docs/CVE-2022-32221.html'}, + 'db_id': 'CURL-CVE-2022-32221', + 'details': 'When doing HTTP(S) transfers, libcurl might erroneously use ' + 'the read callback\n' + '(`CURLOPT_READFUNCTION`) to ask for data to send, even when ' + 'the\n' + '`CURLOPT_POSTFIELDS` option has been set, if the same handle ' + 'previously was\n' + 'used to issue a `PUT` request which used that callback.\n' + '\n' + 'This flaw may surprise the application and cause it to ' + 'misbehave and either\n' + 'send off the wrong data or use memory after free or similar in ' + 'the subsequent\n' + '`POST` request.\n' + '\n' + 'The problem exists in the logic for a reused handle when it is ' + 'changed from a\n' + 'PUT to a POST.', + 'ecosystem': ['GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2023, 5, 10, 0, 37, 6, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': [], + 'public': True, + 'purl': [], + 'reference_url_types': {}, + 'regressed': '', + 'related': [], + 'search_indices': [ '2022', + '2022-32221', + '32221', + 'curl', + 'curl-cve', + 'curl-cve-2022', + 'curl-cve-2022-32221', + 'curl.git', + 'cve', + 'cve-2022', + 'cve-2022-32221', + 'git', + 'github.com/curl/curl.git', + 'https://github.com/curl/curl.git'], + 'search_tags': ['curl-cve-2022-32221'], + 'semver_fixed_indexes': ['00000007.00000086.00000000-zzzzzzzzzzzzzzzz'], + 'severities': [], + 'source': 'source', + 'source_id': 'source:CURL-CVE-2022-32221.json', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'POST following PUT confusion', + 'timestamp': DatetimeWithNanoseconds(2022, 10, 26, 8, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UBUNTU-CVE-2025-38094.json b/gcp/workers/oss_fuzz_worker/testdata/UBUNTU-CVE-2025-38094.json new file mode 100644 index 00000000000..58150ba4c32 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UBUNTU-CVE-2025-38094.json @@ -0,0 +1,262 @@ +{ + "schema_version": "1.7.3", + "id": "UBUNTU-CVE-2025-38094", + "details": "In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high as well. Because jiffies are never updated, as we are in a context with interrupts disabled, we never exit that loop and have a deadlock. That deadlock was noticed on a sama5d4 device that stayed locked for days. Use retries instead of jiffies so that the timeout really works and we do not have a deadlock anymore.", + "aliases": [], + "upstream": [ + "CVE-2025-38094" + ], + "related": [], + "severity": [ + { + "type": "Ubuntu", + "score": "medium" + } + ], + "published": "2025-07-04T00:00:00Z", + "modified": "2025-07-04T00:00:00Z", + "affected": [ + { + "package": { + "ecosystem": "Ubuntu:Pro:14.04:LTS", + "name": "linux", + "purl": "pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "3.11.0-12.19", + "3.12.0-1.3", + "3.12.0-2.5", + "3.12.0-2.7", + "3.12.0-3.8", + "3.12.0-3.9", + "3.12.0-4.10", + "3.12.0-4.12", + "3.12.0-5.13", + "3.12.0-7.15", + "3.13.0-1.16", + "3.13.0-2.17", + "3.13.0-3.18", + "3.13.0-4.19", + "3.13.0-5.20", + "3.13.0-6.23", + "3.13.0-7.25", + "3.13.0-7.26", + "3.13.0-8.27", + "3.13.0-8.28", + "3.13.0-10.30", + "3.13.0-11.31", + "3.13.0-12.32", + "3.13.0-13.33", + "3.13.0-14.34", + "3.13.0-15.35", + "3.13.0-16.36", + "3.13.0-17.37", + "3.13.0-18.38", + "3.13.0-19.39", + "3.13.0-19.40", + "3.13.0-20.42", + "3.13.0-21.43", + "3.13.0-22.44", + "3.13.0-23.45", + "3.13.0-24.46", + "3.13.0-24.47", + "3.13.0-27.50", + "3.13.0-29.53", + "3.13.0-30.54", + "3.13.0-30.55", + "3.13.0-32.57", + "3.13.0-33.58", + "3.13.0-34.60", + "3.13.0-35.62", + "3.13.0-36.63", + "3.13.0-37.64", + "3.13.0-39.66", + "3.13.0-40.69", + "3.13.0-41.70", + "3.13.0-43.72", + "3.13.0-44.73", + "3.13.0-45.74", + "3.13.0-46.75", + "3.13.0-46.76", + "3.13.0-46.77", + "3.13.0-46.79", + "3.13.0-48.80", + "3.13.0-49.81", + "3.13.0-49.83", + "3.13.0-51.84", + "3.13.0-52.85", + "3.13.0-52.86", + "3.13.0-53.88", + "3.13.0-53.89", + "3.13.0-54.91", + "3.13.0-55.92", + "3.13.0-55.94", + "3.13.0-57.95", + "3.13.0-58.97", + "3.13.0-59.98", + "3.13.0-61.100", + "3.13.0-62.102", + "3.13.0-63.103", + "3.13.0-65.105", + "3.13.0-65.106", + "3.13.0-66.108", + "3.13.0-67.110", + "3.13.0-68.111", + "3.13.0-70.113", + "3.13.0-71.114", + "3.13.0-73.116", + "3.13.0-74.118", + "3.13.0-76.120", + "3.13.0-77.121", + "3.13.0-79.123", + "3.13.0-83.127", + "3.13.0-85.129", + "3.13.0-86.130", + "3.13.0-86.131", + "3.13.0-87.133", + "3.13.0-88.135", + "3.13.0-91.138", + "3.13.0-92.139", + "3.13.0-93.140", + "3.13.0-95.142", + "3.13.0-96.143", + "3.13.0-98.145", + "3.13.0-100.147", + "3.13.0-101.148", + "3.13.0-103.150", + "3.13.0-105.152", + "3.13.0-106.153", + "3.13.0-107.154", + "3.13.0-108.155", + "3.13.0-109.156", + "3.13.0-110.157", + "3.13.0-111.158", + "3.13.0-112.159", + "3.13.0-113.160", + "3.13.0-115.162", + "3.13.0-116.163", + "3.13.0-117.164", + "3.13.0-119.166", + "3.13.0-121.170", + "3.13.0-123.172", + "3.13.0-125.174", + "3.13.0-126.175", + "3.13.0-128.177", + "3.13.0-129.178", + "3.13.0-132.181", + "3.13.0-133.182", + "3.13.0-135.184", + "3.13.0-137.186", + "3.13.0-139.188", + "3.13.0-141.190", + "3.13.0-142.191", + "3.13.0-143.192", + "3.13.0-144.193", + "3.13.0-145.194", + "3.13.0-147.196", + "3.13.0-149.199", + "3.13.0-151.201", + "3.13.0-153.203", + "3.13.0-155.205", + "3.13.0-156.206", + "3.13.0-157.207", + "3.13.0-158.208", + "3.13.0-160.210", + "3.13.0-161.211", + "3.13.0-162.212", + "3.13.0-163.213", + "3.13.0-164.214", + "3.13.0-165.215", + "3.13.0-166.216", + "3.13.0-167.217", + "3.13.0-168.218", + "3.13.0-169.219", + "3.13.0-170.220", + "3.13.0-173.224", + "3.13.0-174.225", + "3.13.0-175.226", + "3.13.0-176.227", + "3.13.0-180.231", + "3.13.0-181.232", + "3.13.0-182.233", + "3.13.0-183.234", + "3.13.0-184.235", + "3.13.0-185.236", + "3.13.0-186.237", + "3.13.0-187.238", + "3.13.0-188.239", + "3.13.0-189.240", + "3.13.0-190.241", + "3.13.0-191.242", + "3.13.0-192.243", + "3.13.0-193.244", + "3.13.0-194.245", + "3.13.0-195.246", + "3.13.0-196.247", + "3.13.0-197.248", + "3.13.0-198.249", + "3.13.0-199.250", + "3.13.0-200.251", + "3.13.0-201.252", + "3.13.0-202.253", + "3.13.0-203.254", + "3.13.0-204.255", + "3.13.0-205.256", + "3.13.0-206.257" + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://ubuntu.com/security/CVE-2025-38094" + }, + { + "type": "REPORT", + "url": "https://www.cve.org/CVERecord?id=CVE-2025-38094" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/linus/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f" + } + ] +} diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_analysis_crash_handling.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_analysis_crash_handling.txt new file mode 100644 index 00000000000..6968470d21e --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_analysis_crash_handling.txt @@ -0,0 +1,170 @@ +{ 'affected': [], + 'affected_fuzzy': [ '6-9-4-0', + '6-9-4-1', + '6-9-4-10', + '6-9-4-2', + '6-9-4-3', + '6-9-4-4', + '6-9-4-5', + '6-9-4-6', + '6-9-4-7', + '6-9-4-8', + '6-9-4-9', + '6-9-5-0', + '6-9-5-1', + '6-9-5-2', + '6-9-5-3', + '6-9-5-4'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': { 'urgency': 'not yet ' + 'assigned'}, + 'package': { 'ecosystem': 'Debian:11', + 'name': 'imagemagick', + 'purl': 'pkg:deb/debian/imagemagick?arch=source'}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '8:6.9.6.2+dfsg-2'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': []}, + { 'database_specific': None, + 'ecosystem_specific': { 'urgency': 'not yet ' + 'assigned'}, + 'package': { 'ecosystem': 'Debian:12', + 'name': 'imagemagick', + 'purl': 'pkg:deb/debian/imagemagick?arch=source'}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '8:6.9.6.2+dfsg-2'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': []}, + { 'database_specific': None, + 'ecosystem_specific': { 'urgency': 'not yet ' + 'assigned'}, + 'package': { 'ecosystem': 'Debian:13', + 'name': 'imagemagick', + 'purl': 'pkg:deb/debian/imagemagick?arch=source'}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '8:6.9.6.2+dfsg-2'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': []}, + { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'function_hash': '105821297934886641033004172548266479551', + 'length': 34630.0}, + 'id': 'CVE-2016-10046-90cf14aa', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/imagemagick/imagemagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f', + 'target': { 'file': 'magick/draw.c', + 'function': 'DrawImage'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '111474618106123245942052817755198756272', + '301954155546171996711090723027809067481', + '279975694698735176382484669604413338546', + '183001078492337674961672731704068361015'], + 'threshold': 0.9}, + 'id': 'CVE-2016-10046-b43115ee', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/imagemagick/imagemagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f', + 'target': { 'file': 'magick/draw.c'}}]}, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '989f9f88ea6db09b99d25586e912c921c0da8d3f'}], + 'repo_url': 'https://github.com/imagemagick/imagemagick', + 'type': 'GIT'}, + { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'last_affected', + 'value': '969a96ed7eea9603bea46492e9116c2ba28da60f'}], + 'repo_url': 'https://github.com/imagemagick/imagemagick6', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ '6.9.4-0', + '6.9.4-1', + '6.9.4-10', + '6.9.4-2', + '6.9.4-3', + '6.9.4-4', + '6.9.4-5', + '6.9.4-6', + '6.9.4-7', + '6.9.4-8', + '6.9.4-9', + '6.9.5-0', + '6.9.5-1', + '6.9.5-2', + '6.9.5-3', + '6.9.5-4']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'CVE-2016-10046', + 'details': 'Heap-based buffer overflow in the DrawImage function in ' + 'magick/draw.c in ImageMagick before 6.9.5-5 allows remote ' + 'attackers to cause a denial of service (application crash) via ' + 'a crafted image file.', + 'ecosystem': ['Debian', 'Debian:11', 'Debian:12', 'Debian:13', 'GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2024, 9, 18, 1, 0, 20, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(2021, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['imagemagick'], + 'public': True, + 'purl': [ 'pkg:deb/debian/imagemagick', + 'pkg:deb/debian/imagemagick?arch=source'], + 'reference_url_types': { 'http://www.openwall.com/lists/oss-security/2016/12/26/9': 'WEB', + 'http://www.securityfocus.com/bid/95183': 'WEB', + 'https://bugzilla.redhat.com/show_bug.cgi?id=1410448': 'REPORT', + 'https://github.com/ImageMagick/ImageMagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f': 'REPORT', + 'https://security-tracker.debian.org/tracker/CVE-2016-10046': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '10046', + '11', + '12', + '13', + '2016', + '2016-10046', + 'cve', + 'cve-2016', + 'cve-2016-10046', + 'debian', + 'debian:11', + 'debian:12', + 'debian:13', + 'git', + 'github.com/imagemagick/imagemagick', + 'github.com/imagemagick/imagemagick6', + 'https://github.com/imagemagick/imagemagick', + 'https://github.com/imagemagick/imagemagick6', + 'imagemagick', + 'imagemagick6'], + 'search_tags': ['cve-2016-10046', 'imagemagick'], + 'semver_fixed_indexes': [], + 'severities': [ { 'score': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H', + 'type': 'CVSS_V3'}], + 'source': 'source', + 'source_id': 'source:CVE-2016-10046.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2017, 3, 23, 17, 59, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_alpine.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_alpine.txt new file mode 100644 index 00000000000..cb4c04fa467 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_alpine.txt @@ -0,0 +1,616 @@ +('diff --git a/CVE-2022-27449.json b/CVE-2022-27449.json\n' + 'index 3fc80cd..e6cf371 100644\n' + '--- a/CVE-2022-27449.json\n' + '+++ b/CVE-2022-27449.json\n' + '@@ -1,16 +1,13 @@\n' + ' {\n' + '- "id": "CVE-2022-27449",\n' + '- "details": "MariaDB Server v10.9 and below was discovered to contain a ' + 'segmentation fault via the component sql/item_func.cc:148.",\n' + ' "affected": [\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.12",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -18,19 +15,110 @@\n' + ' {\n' + ' "fixed": "10.4.25-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.15-r0",\n' + '+ "10.4.17-r0",\n' + '+ "10.4.17-r1",\n' + '+ "10.4.18-r0",\n' + '+ "10.4.19-r0",\n' + '+ "10.4.21-r0",\n' + '+ "10.4.22-r0",\n' + '+ "10.4.24-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' },\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.13",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -38,19 +126,113 @@\n' + ' {\n' + ' "fixed": "10.5.16-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.13-r1",\n' + '+ "10.4.14-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "10.5.10-r0",\n' + '+ "10.5.11-r0",\n' + '+ "10.5.12-r0",\n' + '+ "10.5.13-r0",\n' + '+ "10.5.15-r0",\n' + '+ "10.5.5-r0",\n' + '+ "10.5.6-r0",\n' + '+ "10.5.8-r0",\n' + '+ "10.5.9-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' },\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.14",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -58,19 +240,112 @@\n' + ' {\n' + ' "fixed": "10.5.16-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.13-r1",\n' + '+ "10.4.14-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "10.5.11-r0",\n' + '+ "10.5.12-r0",\n' + '+ "10.5.13-r0",\n' + '+ "10.5.15-r0",\n' + '+ "10.5.5-r0",\n' + '+ "10.5.6-r0",\n' + '+ "10.5.8-r0",\n' + '+ "10.5.9-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' },\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.15",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -78,19 +353,115 @@\n' + ' {\n' + ' "fixed": "10.6.8-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.13-r1",\n' + '+ "10.4.14-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "10.5.11-r0",\n' + '+ "10.5.11-r1",\n' + '+ "10.5.5-r0",\n' + '+ "10.5.6-r0",\n' + '+ "10.5.8-r0",\n' + '+ "10.5.9-r0",\n' + '+ "10.6.3-r0",\n' + '+ "10.6.4-r0",\n' + '+ "10.6.4-r1",\n' + '+ "10.6.4-r2",\n' + '+ "10.6.7-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' },\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.16",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -98,11 +469,112 @@\n' + ' {\n' + ' "fixed": "10.6.8-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.13-r1",\n' + '+ "10.4.14-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "10.5.11-r0",\n' + '+ "10.5.11-r1",\n' + '+ "10.5.5-r0",\n' + '+ "10.5.6-r0",\n' + '+ "10.5.8-r0",\n' + '+ "10.5.9-r0",\n' + '+ "10.6.3-r0",\n' + '+ "10.6.4-r0",\n' + '+ "10.6.4-r1",\n' + '+ "10.6.4-r2",\n' + '+ "10.6.7-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' }\n' + ' ],\n' + '+ "details": "MariaDB Server v10.9 and below was discovered to contain a ' + 'segmentation fault via the component sql/item_func.cc:148.",\n' + '+ "id": "CVE-2022-27449",\n' + '+ "modified": "3000-01-01T00:00:00Z",\n' + '+ "published": "2022-04-14T13:15:00Z",\n' + ' "references": [\n' + ' {\n' + ' "type": "EVIDENCE",\n' + '@@ -132,7 +604,5 @@\n' + ' "type": "WEB",\n' + ' "url": ' + '"https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"\n' + ' }\n' + '- ],\n' + '- "modified": "2022-10-07T18:59:00Z",\n' + '- "published": "2022-04-14T13:15:00Z"\n' + '-}\n' + '+ ]\n' + '+}\n' + '\\ No newline at end of file\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_debian.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_debian.txt new file mode 100644 index 00000000000..0433f0bc3ff --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_debian.txt @@ -0,0 +1,64 @@ +('diff --git a/DSA-3029-1.json b/DSA-3029-1.json\n' + 'index 1b73210..c114001 100644\n' + '--- a/DSA-3029-1.json\n' + '+++ b/DSA-3029-1.json\n' + '@@ -1,6 +1,4 @@\n' + ' {\n' + '- "id": "DSA-3029-1",\n' + '- "summary": "nginx - security update",\n' + ' "affected": [\n' + ' {\n' + ' "package": {\n' + '@@ -9,7 +7,6 @@\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -17,21 +14,30 @@\n' + ' {\n' + ' "fixed": "1.2.1-2.2+wheezy3"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "1.2.1-2.2",\n' + '+ "1.2.1-2.2+wheezy1",\n' + '+ "1.2.1-2.2+wheezy2",\n' + '+ "1.2.1-2.2+wheezy3~bpo60+1"\n' + ' ]\n' + ' }\n' + ' ],\n' + ' "aliases": [\n' + ' "CVE-2014-3616"\n' + ' ],\n' + '- "published": "2014-09-20T00:00:00Z",\n' + '- "modified": "2014-09-20T08:18:07Z",\n' + ' "details": "\\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan ' + 'discovered that it was\\npossible to reuse cached SSL sessions in unrelated ' + 'contexts, allowing\\nvirtual host confusion attacks in some configurations ' + 'by an attacker in\\na privileged network position.\\n\\n\\nFor the stable ' + 'distribution (wheezy), this problem has been fixed in\\nversion ' + '1.2.1-2.2+wheezy3.\\n\\n\\nFor the testing distribution (jessie), this ' + 'problem has been fixed in\\nversion 1.6.2-1.\\n\\n\\nFor the unstable ' + 'distribution (sid), this problem has been fixed in\\nversion ' + '1.6.2-1.\\n\\n\\nWe recommend that you upgrade your nginx ' + 'packages.\\n\\n\\n",\n' + '+ "id": "DSA-3029-1",\n' + '+ "modified": "3000-01-01T00:00:00Z",\n' + '+ "published": "2014-09-20T00:00:00Z",\n' + ' "references": [\n' + ' {\n' + ' "type": "ADVISORY",\n' + ' "url": "https://www.debian.org/security/2014/dsa-3029"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "summary": "nginx - security update"\n' + ' }\n' + '\\ No newline at end of file\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected.txt new file mode 100644 index 00000000000..1cc3591ae79 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected.txt @@ -0,0 +1,78 @@ +('diff --git a/PYSEC-124.yaml b/PYSEC-124.yaml\n' + 'index 5fc3c83..bc7539c 100644\n' + '--- a/PYSEC-124.yaml\n' + '+++ b/PYSEC-124.yaml\n' + '@@ -1,18 +1,61 @@\n' + '-id: PYSEC-124\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-modified: 2022-10-07T18:59:00Z\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: grpcio\n' + ' ecosystem: PyPI\n' + '+ name: grpcio\n' + ' ranges:\n' + '- - type: ECOSYSTEM\n' + '- events:\n' + '+ - events:\n' + ' - introduced: 1.14.2\n' + ' - last_affected: 1.31.0\n' + '+ type: ECOSYSTEM\n' + '+ versions:\n' + '+ - 1.14.2\n' + '+ - 1.15.0\n' + '+ - 1.15.0rc1\n' + '+ - 1.16.0\n' + '+ - 1.16.0rc1\n' + '+ - 1.16.1\n' + '+ - 1.17.0\n' + '+ - 1.17.1\n' + '+ - 1.18.0\n' + '+ - 1.19.0\n' + '+ - 1.20.0\n' + '+ - 1.20.0rc1\n' + '+ - 1.20.0rc2\n' + '+ - 1.20.0rc3\n' + '+ - 1.20.1\n' + '+ - 1.21.0rc1\n' + '+ - 1.21.1\n' + '+ - 1.21.1rc1\n' + '+ - 1.22.0\n' + '+ - 1.22.0rc1\n' + '+ - 1.22.1\n' + '+ - 1.23.0\n' + '+ - 1.23.0rc1\n' + '+ - 1.23.1\n' + '+ - 1.24.0\n' + '+ - 1.24.0rc1\n' + '+ - 1.24.1\n' + '+ - 1.24.3\n' + '+ - 1.25.0\n' + '+ - 1.25.0rc1\n' + '+ - 1.26.0\n' + '+ - 1.26.0rc1\n' + '+ - 1.27.0rc1\n' + '+ - 1.27.0rc2\n' + '+ - 1.27.1\n' + '+ - 1.27.2\n' + '+ - 1.28.0rc1\n' + '+ - 1.28.0rc2\n' + '+ - 1.28.1\n' + '+ - 1.29.0\n' + '+ - 1.30.0\n' + '+ - 1.31.0\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: PYSEC-124\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected_git.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected_git.txt new file mode 100644 index 00000000000..990ff79da6e --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected_git.txt @@ -0,0 +1,35 @@ +('diff --git a/OSV-TEST-last-affected-01.yaml ' + 'b/OSV-TEST-last-affected-01.yaml\n' + 'index 86e69d4..db61731 100644\n' + '--- a/OSV-TEST-last-affected-01.yaml\n' + '+++ b/OSV-TEST-last-affected-01.yaml\n' + '@@ -1,16 +1,19 @@\n' + '-id: OSV-TEST-last-affected-01\n' + '-summary: A vulnerability\n' + '+affected:\n' + '+- ranges:\n' + '+ - events:\n' + '+ - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + '+ - last_affected: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + '+ versions:\n' + '+ - v0.1.1\n' + '+ - v0.2\n' + ' details: |\n' + ' Blah blah blah\n' + ' Blah\n' + '-modified: 2022-10-07T18:59:00Z\n' + '+id: OSV-TEST-last-affected-01\n' + "+modified: '3000-01-01T00:00:00Z'\n" + ' references:\n' + ' - type: WEB\n' + ' url: https://ref.com/ref\n' + '-affected:\n' + '-- ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '- - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + '- - last_affected: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_maven.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_maven.txt new file mode 100644 index 00000000000..600a0536a0d --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_maven.txt @@ -0,0 +1,110 @@ +('diff --git a/GHSA-838r-hvwh-24h8.json b/GHSA-838r-hvwh-24h8.json\n' + 'index 13e8570..55b233a 100644\n' + '--- a/GHSA-838r-hvwh-24h8.json\n' + '+++ b/GHSA-838r-hvwh-24h8.json\n' + '@@ -1,19 +1,4 @@\n' + ' {\n' + '- "schema_version": "1.4.0",\n' + '- "id": "GHSA-838r-hvwh-24h8",\n' + '- "modified": "2021-09-24T13:10:05Z",\n' + '- "published": "2021-09-13T20:06:31Z",\n' + '- "aliases": [\n' + '- "CVE-2021-38555"\n' + '- ],\n' + '- "summary": "XML Injection in Any23",\n' + '- "details": "An XML external entity (XXE) injection vulnerability was ' + 'discovered in the Any23 StreamUtils.java file and is known to affect Any23 ' + 'versions < 2.5. XML external entity injection (also known as XXE) is a web ' + 'security vulnerability that allows an attacker to interfere with an ' + "application's processing of XML data. It often allows an attacker to view " + 'files on the application server filesystem, and to interact with any ' + 'back-end or external systems that the application itself can access.",\n' + '- "severity": [\n' + '- {\n' + '- "type": "CVSS_V3",\n' + '- "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"\n' + '- }\n' + '- ],\n' + ' "affected": [\n' + ' {\n' + ' "package": {\n' + '@@ -22,7 +7,6 @@\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -30,11 +14,40 @@\n' + ' {\n' + ' "fixed": "2.5"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "0.7.0-incubating",\n' + '+ "0.8.0",\n' + '+ "0.9.0",\n' + '+ "1.0",\n' + '+ "1.1",\n' + '+ "2.0",\n' + '+ "2.1",\n' + '+ "2.2",\n' + '+ "2.3",\n' + '+ "2.4"\n' + ' ]\n' + ' }\n' + ' ],\n' + '+ "aliases": [\n' + '+ "CVE-2021-38555"\n' + '+ ],\n' + '+ "database_specific": {\n' + '+ "cwe_ids": [\n' + '+ "CWE-611"\n' + '+ ],\n' + '+ "github_reviewed": true,\n' + '+ "github_reviewed_at": "2021-09-13T19:31:01Z",\n' + '+ "nvd_published_at": "2021-09-11T11:15:00Z",\n' + '+ "severity": "CRITICAL"\n' + '+ },\n' + '+ "details": "An XML external entity (XXE) injection vulnerability was ' + 'discovered in the Any23 StreamUtils.java file and is known to affect Any23 ' + 'versions < 2.5. XML external entity injection (also known as XXE) is a web ' + 'security vulnerability that allows an attacker to interfere with an ' + "application's processing of XML data. It often allows an attacker to view " + 'files on the application server filesystem, and to interact with any ' + 'back-end or external systems that the application itself can access.",\n' + '+ "id": "GHSA-838r-hvwh-24h8",\n' + '+ "modified": "3000-01-01T00:00:00Z",\n' + '+ "published": "2021-09-13T20:06:31Z",\n' + ' "references": [\n' + ' {\n' + ' "type": "ADVISORY",\n' + '@@ -49,13 +62,12 @@\n' + ' "url": ' + '"https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E"\n' + ' }\n' + ' ],\n' + '- "database_specific": {\n' + '- "cwe_ids": [\n' + '- "CWE-611"\n' + '- ],\n' + '- "severity": "CRITICAL",\n' + '- "github_reviewed": true,\n' + '- "github_reviewed_at": "2021-09-13T19:31:01Z",\n' + '- "nvd_published_at": "2021-09-11T11:15:00Z"\n' + '- }\n' + '+ "schema_version": "1.4.0",\n' + '+ "severity": [\n' + '+ {\n' + '+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",\n' + '+ "type": "CVSS_V3"\n' + '+ }\n' + '+ ],\n' + '+ "summary": "XML Injection in Any23"\n' + ' }\n' + '\\ No newline at end of file\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_normalized_pypi.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_normalized_pypi.txt new file mode 100644 index 00000000000..9c7aacfe8a2 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_normalized_pypi.txt @@ -0,0 +1,29 @@ +('diff --git a/PYSEC-456.yaml b/PYSEC-456.yaml\n' + 'new file mode 100644\n' + 'index 0000000..008c694\n' + '--- /dev/null\n' + '+++ b/PYSEC-456.yaml\n' + '@@ -0,0 +1,23 @@\n' + '+id: PYSEC-456\n' + '+summary: A vulnerability in an unnormalized package\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+modified: 2022-10-07T18:59:00Z\n' + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+affected:\n' + '+- package:\n' + '+ name: Scrapy\n' + '+ ecosystem: PyPI\n' + '+ ranges:\n' + '+ - type: ECOSYSTEM\n' + '+ events:\n' + '+ - introduced: 1.14.2\n' + '+ - fixed: 1.31.0\n' + '+ - type: GIT\n' + '+ repo: https://osv-test/repo/url\n' + '+ events:\n' + '+ - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + '+ - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_pypi.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_pypi.txt new file mode 100644 index 00000000000..9bdb664f6e3 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_pypi.txt @@ -0,0 +1,85 @@ +('diff --git a/PYSEC-123.yaml b/PYSEC-123.yaml\n' + 'index 40653cf..8e2c331 100644\n' + '--- a/PYSEC-123.yaml\n' + '+++ b/PYSEC-123.yaml\n' + '@@ -1,23 +1,65 @@\n' + '-id: PYSEC-123\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-modified: 2022-10-07T18:59:00Z\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: grpcio\n' + ' ecosystem: PyPI\n' + '+ name: grpcio\n' + ' ranges:\n' + '- - type: ECOSYSTEM\n' + '- events:\n' + '+ - events:\n' + ' - introduced: 1.14.2\n' + ' - fixed: 1.31.0\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ type: ECOSYSTEM\n' + '+ - events:\n' + ' - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + ' - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + '+ versions:\n' + '+ - 1.14.2\n' + '+ - 1.15.0\n' + '+ - 1.15.0rc1\n' + '+ - 1.16.0\n' + '+ - 1.16.0rc1\n' + '+ - 1.16.1\n' + '+ - 1.17.0\n' + '+ - 1.17.1\n' + '+ - 1.18.0\n' + '+ - 1.19.0\n' + '+ - 1.20.0\n' + '+ - 1.20.0rc1\n' + '+ - 1.20.0rc2\n' + '+ - 1.20.0rc3\n' + '+ - 1.20.1\n' + '+ - 1.21.0rc1\n' + '+ - 1.21.1\n' + '+ - 1.21.1rc1\n' + '+ - 1.22.0\n' + '+ - 1.22.0rc1\n' + '+ - 1.22.1\n' + '+ - 1.23.0\n' + '+ - 1.23.0rc1\n' + '+ - 1.23.1\n' + '+ - 1.24.0\n' + '+ - 1.24.0rc1\n' + '+ - 1.24.1\n' + '+ - 1.24.3\n' + '+ - 1.25.0\n' + '+ - 1.25.0rc1\n' + '+ - 1.26.0\n' + '+ - 1.26.0rc1\n' + '+ - 1.27.0rc1\n' + '+ - 1.27.0rc2\n' + '+ - 1.27.1\n' + '+ - 1.27.2\n' + '+ - 1.28.0rc1\n' + '+ - 1.28.0rc2\n' + '+ - 1.28.1\n' + '+ - 1.29.0\n' + '+ - 1.30.0\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: PYSEC-123\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update.txt new file mode 100644 index 00000000000..6c3164251ff --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update.txt @@ -0,0 +1,61 @@ +('diff --git a/OSV-123.yaml b/OSV-123.yaml\n' + 'index 0d93ff8..e765523 100644\n' + '--- a/OSV-123.yaml\n' + '+++ b/OSV-123.yaml\n' + '@@ -1,30 +1,34 @@\n' + '-id: OSV-123\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-severity:\n' + '-- type: CVSS_V3\n' + '- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\n' + '-credits:\n' + '-- name: Foo bar\n' + '- contact:\n' + '- - mailto:foo@bar.com\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: blah.com/package\n' + ' ecosystem: Go\n' + '+ name: blah.com/package\n' + ' ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ - events:\n' + ' - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + ' - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+ - introduced: febfac1940086bc1f6d3dc33fda0a1d1ba336209\n' + '+ - fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + ' versions:\n' + ' - branch-v0.1.1\n' + '+ - branch_1_cherrypick_regress\n' + '+ - v0.1.1\n' + '+credits:\n' + '+- contact:\n' + '+ - mailto:foo@bar.com\n' + '+ name: Foo bar\n' + ' database_specific:\n' + '- specific: 1337\n' + "-modified: '2020-01-01T00:00:00Z'\n" + '\\ No newline at end of file\n' + '+ specific: 1337.0\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: OSV-123\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+severity:\n' + '+- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\n' + '+ type: CVSS_V3\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_add_fix.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_add_fix.txt new file mode 100644 index 00000000000..64d431543b5 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_add_fix.txt @@ -0,0 +1,43 @@ +('diff --git a/OSV-124.yaml b/OSV-124.yaml\n' + 'index 4d2eede..8b6df18 100644\n' + '--- a/OSV-124.yaml\n' + '+++ b/OSV-124.yaml\n' + '@@ -1,20 +1,25 @@\n' + '-id: OSV-124\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: blah.com/package\n' + ' ecosystem: Go\n' + '+ name: blah.com/package\n' + ' ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ - events:\n' + ' - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + '+ - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+ - introduced: febfac1940086bc1f6d3dc33fda0a1d1ba336209\n' + '+ - fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + ' versions:\n' + ' - branch-v0.1.1\n' + "-modified: '2020-01-01T00:00:00Z'\n" + '+ - branch_1_cherrypick_regress\n' + '+ - v0.1.1\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: OSV-124\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_limit.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_limit.txt new file mode 100644 index 00000000000..8765ed63433 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_limit.txt @@ -0,0 +1,55 @@ +('diff --git a/OSV-128.yaml b/OSV-128.yaml\n' + 'index 9b928c1..e4b6aad 100644\n' + '--- a/OSV-128.yaml\n' + '+++ b/OSV-128.yaml\n' + '@@ -1,25 +1,33 @@\n' + '-id: OSV-128\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: grpcio\n' + ' ecosystem: PyPI\n' + '- versions:\n' + '- - branch-v0.1.1\n' + '+ name: grpcio\n' + ' ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ - events:\n' + " - introduced: '0'\n" + ' - limit: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '- - type: ECOSYSTEM\n' + '- events:\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + '+ - events:\n' + ' - introduced: 1.13.0\n' + ' - limit: 1.14.2\n' + "-modified: '2020-01-01T00:00:00Z'\n" + '+ type: ECOSYSTEM\n' + '+ versions:\n' + '+ - branch-v0.1.1\n' + '+ - 1.13.0\n' + '+ - 1.14.0\n' + '+ - 1.14.0rc1\n' + '+ - 1.14.0rc2\n' + '+ - 1.14.1\n' + '+ - 1.14.2rc1\n' + '+ - v0.1\n' + '+ - v0.1.1\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: OSV-128\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_no_introduced.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_no_introduced.txt new file mode 100644 index 00000000000..4c56c356353 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_no_introduced.txt @@ -0,0 +1,45 @@ +('diff --git a/OSV-127.yaml b/OSV-127.yaml\n' + 'index a1a76f1..163c78a 100644\n' + '--- a/OSV-127.yaml\n' + '+++ b/OSV-127.yaml\n' + '@@ -1,21 +1,25 @@\n' + '-id: OSV-127\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: blah.com/package\n' + ' ecosystem: Go\n' + '- versions:\n' + '- - branch-v0.1.1\n' + '+ name: blah.com/package\n' + ' ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ - events:\n' + " - introduced: '0'\n" + ' - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + "-modified: '2020-01-01T00:00:00Z'\n" + '+ - fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + '+ versions:\n' + '+ - branch-v0.1.1\n' + '+ - branch_1_cherrypick_regress\n' + '+ - v0.1\n' + '+ - v0.1.1\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: OSV-127\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_dont_index_too_many_git_versions.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_dont_index_too_many_git_versions.txt new file mode 100644 index 00000000000..a277e3adbe1 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_dont_index_too_many_git_versions.txt @@ -0,0 +1,5067 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'last_affected', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ '00000', + '00001', + '00002', + '00003', + '00004', + '00005', + '00006', + '00007', + '00008', + '00009', + '00010', + '00011', + '00012', + '00013', + '00014', + '00015', + '00016', + '00017', + '00018', + '00019', + '00020', + '00021', + '00022', + '00023', + '00024', + '00025', + '00026', + '00027', + '00028', + '00029', + '00030', + '00031', + '00032', + '00033', + '00034', + '00035', + '00036', + '00037', + '00038', + '00039', + '00040', + '00041', + '00042', + '00043', + '00044', + '00045', + '00046', + '00047', + '00048', + '00049', + '00050', + '00051', + '00052', + '00053', + '00054', + '00055', + '00056', + '00057', + '00058', + '00059', + '00060', + '00061', + '00062', + '00063', + '00064', + '00065', + '00066', + '00067', + '00068', + '00069', + '00070', + '00071', + '00072', + '00073', + '00074', + '00075', + '00076', + '00077', + '00078', + '00079', + '00080', + '00081', + '00082', + '00083', + '00084', + '00085', + '00086', + '00087', + '00088', + '00089', + '00090', + '00091', + '00092', + '00093', + '00094', + '00095', + '00096', + '00097', + '00098', + '00099', + '00100', + '00101', + '00102', + '00103', + '00104', + '00105', + '00106', + '00107', + '00108', + '00109', + '00110', + '00111', + '00112', + '00113', + '00114', + '00115', + '00116', + '00117', + '00118', + '00119', + '00120', + '00121', + '00122', + '00123', + '00124', + '00125', + '00126', + '00127', + '00128', + '00129', + '00130', + '00131', + '00132', + '00133', + '00134', + '00135', + '00136', + '00137', + '00138', + '00139', + '00140', + '00141', + '00142', + '00143', + '00144', + '00145', + '00146', + '00147', + '00148', + '00149', + '00150', + '00151', + '00152', + '00153', + '00154', + '00155', + '00156', + '00157', + '00158', + '00159', + '00160', + '00161', + '00162', + '00163', + '00164', + '00165', + '00166', + '00167', + '00168', + '00169', + '00170', + '00171', + '00172', + '00173', + '00174', + '00175', + '00176', + '00177', + '00178', + '00179', + '00180', + '00181', + '00182', + '00183', + '00184', + '00185', + '00186', + '00187', + '00188', + '00189', + '00190', + '00191', + '00192', + '00193', + '00194', + '00195', + '00196', + '00197', + '00198', + '00199', + '00200', + '00201', + '00202', + '00203', + '00204', + '00205', + '00206', + '00207', + '00208', + '00209', + '00210', + '00211', + '00212', + '00213', + '00214', + '00215', + '00216', + '00217', + '00218', + '00219', + '00220', + '00221', + '00222', + '00223', + '00224', + '00225', + '00226', + '00227', + '00228', + '00229', + '00230', + '00231', + '00232', + '00233', + '00234', + '00235', + '00236', + '00237', + '00238', + '00239', + '00240', + '00241', + '00242', + '00243', + '00244', + '00245', + '00246', + '00247', + '00248', + '00249', + '00250', + '00251', + '00252', + '00253', + '00254', + '00255', + '00256', + '00257', + '00258', + '00259', + '00260', + '00261', + '00262', + '00263', + '00264', + '00265', + '00266', + '00267', + '00268', + '00269', + '00270', + '00271', + '00272', + '00273', + '00274', + '00275', + '00276', + '00277', + '00278', + '00279', + '00280', + '00281', + '00282', + '00283', + '00284', + '00285', + '00286', + '00287', + '00288', + '00289', + '00290', + '00291', + '00292', + '00293', + '00294', + '00295', + '00296', + '00297', + '00298', + '00299', + '00300', + '00301', + '00302', + '00303', + '00304', + '00305', + '00306', + '00307', + '00308', + '00309', + '00310', + '00311', + '00312', + '00313', + '00314', + '00315', + '00316', + '00317', + '00318', + '00319', + '00320', + '00321', + '00322', + '00323', + '00324', + '00325', + '00326', + '00327', + '00328', + '00329', + '00330', + '00331', + '00332', + '00333', + '00334', + '00335', + '00336', + '00337', + '00338', + '00339', + '00340', + '00341', + '00342', + '00343', + '00344', + '00345', + '00346', + '00347', + '00348', + '00349', + '00350', + '00351', + '00352', + '00353', + '00354', + '00355', + '00356', + '00357', + '00358', + '00359', + '00360', + '00361', + '00362', + '00363', + '00364', + '00365', + '00366', + '00367', + '00368', + '00369', + '00370', + '00371', + '00372', + '00373', + '00374', + '00375', + '00376', + '00377', + '00378', + '00379', + '00380', + '00381', + '00382', + '00383', + '00384', + '00385', + '00386', + '00387', + '00388', + '00389', + '00390', + '00391', + '00392', + '00393', + '00394', + '00395', + '00396', + '00397', + '00398', + '00399', + '00400', + '00401', + '00402', + '00403', + '00404', + '00405', + '00406', + '00407', + '00408', + '00409', + '00410', + '00411', + '00412', + '00413', + '00414', + '00415', + '00416', + '00417', + '00418', + '00419', + '00420', + '00421', + '00422', + '00423', + '00424', + '00425', + '00426', + '00427', + '00428', + '00429', + '00430', + '00431', + '00432', + '00433', + '00434', + '00435', + '00436', + '00437', + '00438', + '00439', + '00440', + '00441', + '00442', + '00443', + '00444', + '00445', + '00446', + '00447', + '00448', + '00449', + '00450', + '00451', + '00452', + '00453', + '00454', + '00455', + '00456', + '00457', + '00458', + '00459', + '00460', + '00461', + '00462', + '00463', + '00464', + '00465', + '00466', + '00467', + '00468', + '00469', + '00470', + '00471', + '00472', + '00473', + '00474', + '00475', + '00476', + '00477', + '00478', + '00479', + '00480', + '00481', + '00482', + '00483', + '00484', + '00485', + '00486', + '00487', + '00488', + '00489', + '00490', + '00491', + '00492', + '00493', + '00494', + '00495', + '00496', + '00497', + '00498', + '00499', + '00500', + '00501', + '00502', + '00503', + '00504', + '00505', + '00506', + '00507', + '00508', + '00509', + '00510', + '00511', + '00512', + '00513', + '00514', + '00515', + '00516', + '00517', + '00518', + '00519', + '00520', + '00521', + '00522', + '00523', + '00524', + '00525', + '00526', + '00527', + '00528', + '00529', + '00530', + '00531', + '00532', + '00533', + '00534', + '00535', + '00536', + '00537', + '00538', + '00539', + '00540', + '00541', + '00542', + '00543', + '00544', + '00545', + '00546', + '00547', + '00548', + '00549', + '00550', + '00551', + '00552', + '00553', + '00554', + '00555', + '00556', + '00557', + '00558', + '00559', + '00560', + '00561', + '00562', + '00563', + '00564', + '00565', + '00566', + '00567', + '00568', + '00569', + '00570', + '00571', + '00572', + '00573', + '00574', + '00575', + '00576', + '00577', + '00578', + '00579', + '00580', + '00581', + '00582', + '00583', + '00584', + '00585', + '00586', + '00587', + '00588', + '00589', + '00590', + '00591', + '00592', + '00593', + '00594', + '00595', + '00596', + '00597', + '00598', + '00599', + '00600', + '00601', + '00602', + '00603', + '00604', + '00605', + '00606', + '00607', + '00608', + '00609', + '00610', + '00611', + '00612', + '00613', + '00614', + '00615', + '00616', + '00617', + '00618', + '00619', + '00620', + '00621', + '00622', + '00623', + '00624', + '00625', + '00626', + '00627', + '00628', + '00629', + '00630', + '00631', + '00632', + '00633', + '00634', + '00635', + '00636', + '00637', + '00638', + '00639', + '00640', + '00641', + '00642', + '00643', + '00644', + '00645', + '00646', + '00647', + '00648', + '00649', + '00650', + '00651', + '00652', + '00653', + '00654', + '00655', + '00656', + '00657', + '00658', + '00659', + '00660', + '00661', + '00662', + '00663', + '00664', + '00665', + '00666', + '00667', + '00668', + '00669', + '00670', + '00671', + '00672', + '00673', + '00674', + '00675', + '00676', + '00677', + '00678', + '00679', + '00680', + '00681', + '00682', + '00683', + '00684', + '00685', + '00686', + '00687', + '00688', + '00689', + '00690', + '00691', + '00692', + '00693', + '00694', + '00695', + '00696', + '00697', + '00698', + '00699', + '00700', + '00701', + '00702', + '00703', + '00704', + '00705', + '00706', + '00707', + '00708', + '00709', + '00710', + '00711', + '00712', + '00713', + '00714', + '00715', + '00716', + '00717', + '00718', + '00719', + '00720', + '00721', + '00722', + '00723', + '00724', + '00725', + '00726', + '00727', + '00728', + '00729', + '00730', + '00731', + '00732', + '00733', + '00734', + '00735', + '00736', + '00737', + '00738', + '00739', + '00740', + '00741', + '00742', + '00743', + '00744', + '00745', + '00746', + '00747', + '00748', + '00749', + '00750', + '00751', + '00752', + '00753', + '00754', + '00755', + '00756', + '00757', + '00758', + '00759', + '00760', + '00761', + '00762', + '00763', + '00764', + '00765', + '00766', + '00767', + '00768', + '00769', + '00770', + '00771', + '00772', + '00773', + '00774', + '00775', + '00776', + '00777', + '00778', + '00779', + '00780', + '00781', + '00782', + '00783', + '00784', + '00785', + '00786', + '00787', + '00788', + '00789', + '00790', + '00791', + '00792', + '00793', + '00794', + '00795', + '00796', + '00797', + '00798', + '00799', + '00800', + '00801', + '00802', + '00803', + '00804', + '00805', + '00806', + '00807', + '00808', + '00809', + '00810', + '00811', + '00812', + '00813', + '00814', + '00815', + '00816', + '00817', + '00818', + '00819', + '00820', + '00821', + '00822', + '00823', + '00824', + '00825', + '00826', + '00827', + '00828', + '00829', + '00830', + '00831', + '00832', + '00833', + '00834', + '00835', + '00836', + '00837', + '00838', + '00839', + '00840', + '00841', + '00842', + '00843', + '00844', + '00845', + '00846', + '00847', + '00848', + '00849', + '00850', + '00851', + '00852', + '00853', + '00854', + '00855', + '00856', + '00857', + '00858', + '00859', + '00860', + '00861', + '00862', + '00863', + '00864', + '00865', + '00866', + '00867', + '00868', + '00869', + '00870', + '00871', + '00872', + '00873', + '00874', + '00875', + '00876', + '00877', + '00878', + '00879', + '00880', + '00881', + '00882', + '00883', + '00884', + '00885', + '00886', + '00887', + '00888', + '00889', + '00890', + '00891', + '00892', + '00893', + '00894', + '00895', + '00896', + '00897', + '00898', + '00899', + '00900', + '00901', + '00902', + '00903', + '00904', + '00905', + '00906', + '00907', + '00908', + '00909', + '00910', + '00911', + '00912', + '00913', + '00914', + '00915', + '00916', + '00917', + '00918', + '00919', + '00920', + '00921', + '00922', + '00923', + '00924', + '00925', + '00926', + '00927', + '00928', + '00929', + '00930', + '00931', + '00932', + '00933', + '00934', + '00935', + '00936', + '00937', + '00938', + '00939', + '00940', + '00941', + '00942', + '00943', + '00944', + '00945', + '00946', + '00947', + '00948', + '00949', + '00950', + '00951', + '00952', + '00953', + '00954', + '00955', + '00956', + '00957', + '00958', + '00959', + '00960', + '00961', + '00962', + '00963', + '00964', + '00965', + '00966', + '00967', + '00968', + '00969', + '00970', + '00971', + '00972', + '00973', + '00974', + '00975', + '00976', + '00977', + '00978', + '00979', + '00980', + '00981', + '00982', + '00983', + '00984', + '00985', + '00986', + '00987', + '00988', + '00989', + '00990', + '00991', + '00992', + '00993', + '00994', + '00995', + '00996', + '00997', + '00998', + '00999', + '01000', + '01001', + '01002', + '01003', + '01004', + '01005', + '01006', + '01007', + '01008', + '01009', + '01010', + '01011', + '01012', + '01013', + '01014', + '01015', + '01016', + '01017', + '01018', + '01019', + '01020', + '01021', + '01022', + '01023', + '01024', + '01025', + '01026', + '01027', + '01028', + '01029', + '01030', + '01031', + '01032', + '01033', + '01034', + '01035', + '01036', + '01037', + '01038', + '01039', + '01040', + '01041', + '01042', + '01043', + '01044', + '01045', + '01046', + '01047', + '01048', + '01049', + '01050', + '01051', + '01052', + '01053', + '01054', + '01055', + '01056', + '01057', + '01058', + '01059', + '01060', + '01061', + '01062', + '01063', + '01064', + '01065', + '01066', + '01067', + '01068', + '01069', + '01070', + '01071', + '01072', + '01073', + '01074', + '01075', + '01076', + '01077', + '01078', + '01079', + '01080', + '01081', + '01082', + '01083', + '01084', + '01085', + '01086', + '01087', + '01088', + '01089', + '01090', + '01091', + '01092', + '01093', + '01094', + '01095', + '01096', + '01097', + '01098', + '01099', + '01100', + '01101', + '01102', + '01103', + '01104', + '01105', + '01106', + '01107', + '01108', + '01109', + '01110', + '01111', + '01112', + '01113', + '01114', + '01115', + '01116', + '01117', + '01118', + '01119', + '01120', + '01121', + '01122', + '01123', + '01124', + '01125', + '01126', + '01127', + '01128', + '01129', + '01130', + '01131', + '01132', + '01133', + '01134', + '01135', + '01136', + '01137', + '01138', + '01139', + '01140', + '01141', + '01142', + '01143', + '01144', + '01145', + '01146', + '01147', + '01148', + '01149', + '01150', + '01151', + '01152', + '01153', + '01154', + '01155', + '01156', + '01157', + '01158', + '01159', + '01160', + '01161', + '01162', + '01163', + '01164', + '01165', + '01166', + '01167', + '01168', + '01169', + '01170', + '01171', + '01172', + '01173', + '01174', + '01175', + '01176', + '01177', + '01178', + '01179', + '01180', + '01181', + '01182', + '01183', + '01184', + '01185', + '01186', + '01187', + '01188', + '01189', + '01190', + '01191', + '01192', + '01193', + '01194', + '01195', + '01196', + '01197', + '01198', + '01199', + '01200', + '01201', + '01202', + '01203', + '01204', + '01205', + '01206', + '01207', + '01208', + '01209', + '01210', + '01211', + '01212', + '01213', + '01214', + '01215', + '01216', + '01217', + '01218', + '01219', + '01220', + '01221', + '01222', + '01223', + '01224', + '01225', + '01226', + '01227', + '01228', + '01229', + '01230', + '01231', + '01232', + '01233', + '01234', + '01235', + '01236', + '01237', + '01238', + '01239', + '01240', + '01241', + '01242', + '01243', + '01244', + '01245', + '01246', + '01247', + '01248', + '01249', + '01250', + '01251', + '01252', + '01253', + '01254', + '01255', + '01256', + '01257', + '01258', + '01259', + '01260', + '01261', + '01262', + '01263', + '01264', + '01265', + '01266', + '01267', + '01268', + '01269', + '01270', + '01271', + '01272', + '01273', + '01274', + '01275', + '01276', + '01277', + '01278', + '01279', + '01280', + '01281', + '01282', + '01283', + '01284', + '01285', + '01286', + '01287', + '01288', + '01289', + '01290', + '01291', + '01292', + '01293', + '01294', + '01295', + '01296', + '01297', + '01298', + '01299', + '01300', + '01301', + '01302', + '01303', + '01304', + '01305', + '01306', + '01307', + '01308', + '01309', + '01310', + '01311', + '01312', + '01313', + '01314', + '01315', + '01316', + '01317', + '01318', + '01319', + '01320', + '01321', + '01322', + '01323', + '01324', + '01325', + '01326', + '01327', + '01328', + '01329', + '01330', + '01331', + '01332', + '01333', + '01334', + '01335', + '01336', + '01337', + '01338', + '01339', + '01340', + '01341', + '01342', + '01343', + '01344', + '01345', + '01346', + '01347', + '01348', + '01349', + '01350', + '01351', + '01352', + '01353', + '01354', + '01355', + '01356', + '01357', + '01358', + '01359', + '01360', + '01361', + '01362', + '01363', + '01364', + '01365', + '01366', + '01367', + '01368', + '01369', + '01370', + '01371', + '01372', + '01373', + '01374', + '01375', + '01376', + '01377', + '01378', + '01379', + '01380', + '01381', + '01382', + '01383', + '01384', + '01385', + '01386', + '01387', + '01388', + '01389', + '01390', + '01391', + '01392', + '01393', + '01394', + '01395', + '01396', + '01397', + '01398', + '01399', + '01400', + '01401', + '01402', + '01403', + '01404', + '01405', + '01406', + '01407', + '01408', + '01409', + '01410', + '01411', + '01412', + '01413', + '01414', + '01415', + '01416', + '01417', + '01418', + '01419', + '01420', + '01421', + '01422', + '01423', + '01424', + '01425', + '01426', + '01427', + '01428', + '01429', + '01430', + '01431', + '01432', + '01433', + '01434', + '01435', + '01436', + '01437', + '01438', + '01439', + '01440', + '01441', + '01442', + '01443', + '01444', + '01445', + '01446', + '01447', + '01448', + '01449', + '01450', + '01451', + '01452', + '01453', + '01454', + '01455', + '01456', + '01457', + '01458', + '01459', + '01460', + '01461', + '01462', + '01463', + '01464', + '01465', + '01466', + '01467', + '01468', + '01469', + '01470', + '01471', + '01472', + '01473', + '01474', + '01475', + '01476', + '01477', + '01478', + '01479', + '01480', + '01481', + '01482', + '01483', + '01484', + '01485', + '01486', + '01487', + '01488', + '01489', + '01490', + '01491', + '01492', + '01493', + '01494', + '01495', + '01496', + '01497', + '01498', + '01499', + '01500', + '01501', + '01502', + '01503', + '01504', + '01505', + '01506', + '01507', + '01508', + '01509', + '01510', + '01511', + '01512', + '01513', + '01514', + '01515', + '01516', + '01517', + '01518', + '01519', + '01520', + '01521', + '01522', + '01523', + '01524', + '01525', + '01526', + '01527', + '01528', + '01529', + '01530', + '01531', + '01532', + '01533', + '01534', + '01535', + '01536', + '01537', + '01538', + '01539', + '01540', + '01541', + '01542', + '01543', + '01544', + '01545', + '01546', + '01547', + '01548', + '01549', + '01550', + '01551', + '01552', + '01553', + '01554', + '01555', + '01556', + '01557', + '01558', + '01559', + '01560', + '01561', + '01562', + '01563', + '01564', + '01565', + '01566', + '01567', + '01568', + '01569', + '01570', + '01571', + '01572', + '01573', + '01574', + '01575', + '01576', + '01577', + '01578', + '01579', + '01580', + '01581', + '01582', + '01583', + '01584', + '01585', + '01586', + '01587', + '01588', + '01589', + '01590', + '01591', + '01592', + '01593', + '01594', + '01595', + '01596', + '01597', + '01598', + '01599', + '01600', + '01601', + '01602', + '01603', + '01604', + '01605', + '01606', + '01607', + '01608', + '01609', + '01610', + '01611', + '01612', + '01613', + '01614', + '01615', + '01616', + '01617', + '01618', + '01619', + '01620', + '01621', + '01622', + '01623', + '01624', + '01625', + '01626', + '01627', + '01628', + '01629', + '01630', + '01631', + '01632', + '01633', + '01634', + '01635', + '01636', + '01637', + '01638', + '01639', + '01640', + '01641', + '01642', + '01643', + '01644', + '01645', + '01646', + '01647', + '01648', + '01649', + '01650', + '01651', + '01652', + '01653', + '01654', + '01655', + '01656', + '01657', + '01658', + '01659', + '01660', + '01661', + '01662', + '01663', + '01664', + '01665', + '01666', + '01667', + '01668', + '01669', + '01670', + '01671', + '01672', + '01673', + '01674', + '01675', + '01676', + '01677', + '01678', + '01679', + '01680', + '01681', + '01682', + '01683', + '01684', + '01685', + '01686', + '01687', + '01688', + '01689', + '01690', + '01691', + '01692', + '01693', + '01694', + '01695', + '01696', + '01697', + '01698', + '01699', + '01700', + '01701', + '01702', + '01703', + '01704', + '01705', + '01706', + '01707', + '01708', + '01709', + '01710', + '01711', + '01712', + '01713', + '01714', + '01715', + '01716', + '01717', + '01718', + '01719', + '01720', + '01721', + '01722', + '01723', + '01724', + '01725', + '01726', + '01727', + '01728', + '01729', + '01730', + '01731', + '01732', + '01733', + '01734', + '01735', + '01736', + '01737', + '01738', + '01739', + '01740', + '01741', + '01742', + '01743', + '01744', + '01745', + '01746', + '01747', + '01748', + '01749', + '01750', + '01751', + '01752', + '01753', + '01754', + '01755', + '01756', + '01757', + '01758', + '01759', + '01760', + '01761', + '01762', + '01763', + '01764', + '01765', + '01766', + '01767', + '01768', + '01769', + '01770', + '01771', + '01772', + '01773', + '01774', + '01775', + '01776', + '01777', + '01778', + '01779', + '01780', + '01781', + '01782', + '01783', + '01784', + '01785', + '01786', + '01787', + '01788', + '01789', + '01790', + '01791', + '01792', + '01793', + '01794', + '01795', + '01796', + '01797', + '01798', + '01799', + '01800', + '01801', + '01802', + '01803', + '01804', + '01805', + '01806', + '01807', + '01808', + '01809', + '01810', + '01811', + '01812', + '01813', + '01814', + '01815', + '01816', + '01817', + '01818', + '01819', + '01820', + '01821', + '01822', + '01823', + '01824', + '01825', + '01826', + '01827', + '01828', + '01829', + '01830', + '01831', + '01832', + '01833', + '01834', + '01835', + '01836', + '01837', + '01838', + '01839', + '01840', + '01841', + '01842', + '01843', + '01844', + '01845', + '01846', + '01847', + '01848', + '01849', + '01850', + '01851', + '01852', + '01853', + '01854', + '01855', + '01856', + '01857', + '01858', + '01859', + '01860', + '01861', + '01862', + '01863', + '01864', + '01865', + '01866', + '01867', + '01868', + '01869', + '01870', + '01871', + '01872', + '01873', + '01874', + '01875', + '01876', + '01877', + '01878', + '01879', + '01880', + '01881', + '01882', + '01883', + '01884', + '01885', + '01886', + '01887', + '01888', + '01889', + '01890', + '01891', + '01892', + '01893', + '01894', + '01895', + '01896', + '01897', + '01898', + '01899', + '01900', + '01901', + '01902', + '01903', + '01904', + '01905', + '01906', + '01907', + '01908', + '01909', + '01910', + '01911', + '01912', + '01913', + '01914', + '01915', + '01916', + '01917', + '01918', + '01919', + '01920', + '01921', + '01922', + '01923', + '01924', + '01925', + '01926', + '01927', + '01928', + '01929', + '01930', + '01931', + '01932', + '01933', + '01934', + '01935', + '01936', + '01937', + '01938', + '01939', + '01940', + '01941', + '01942', + '01943', + '01944', + '01945', + '01946', + '01947', + '01948', + '01949', + '01950', + '01951', + '01952', + '01953', + '01954', + '01955', + '01956', + '01957', + '01958', + '01959', + '01960', + '01961', + '01962', + '01963', + '01964', + '01965', + '01966', + '01967', + '01968', + '01969', + '01970', + '01971', + '01972', + '01973', + '01974', + '01975', + '01976', + '01977', + '01978', + '01979', + '01980', + '01981', + '01982', + '01983', + '01984', + '01985', + '01986', + '01987', + '01988', + '01989', + '01990', + '01991', + '01992', + '01993', + '01994', + '01995', + '01996', + '01997', + '01998', + '01999', + '02000', + '02001', + '02002', + '02003', + '02004', + '02005', + '02006', + '02007', + '02008', + '02009', + '02010', + '02011', + '02012', + '02013', + '02014', + '02015', + '02016', + '02017', + '02018', + '02019', + '02020', + '02021', + '02022', + '02023', + '02024', + '02025', + '02026', + '02027', + '02028', + '02029', + '02030', + '02031', + '02032', + '02033', + '02034', + '02035', + '02036', + '02037', + '02038', + '02039', + '02040', + '02041', + '02042', + '02043', + '02044', + '02045', + '02046', + '02047', + '02048', + '02049', + '02050', + '02051', + '02052', + '02053', + '02054', + '02055', + '02056', + '02057', + '02058', + '02059', + '02060', + '02061', + '02062', + '02063', + '02064', + '02065', + '02066', + '02067', + '02068', + '02069', + '02070', + '02071', + '02072', + '02073', + '02074', + '02075', + '02076', + '02077', + '02078', + '02079', + '02080', + '02081', + '02082', + '02083', + '02084', + '02085', + '02086', + '02087', + '02088', + '02089', + '02090', + '02091', + '02092', + '02093', + '02094', + '02095', + '02096', + '02097', + '02098', + '02099', + '02100', + '02101', + '02102', + '02103', + '02104', + '02105', + '02106', + '02107', + '02108', + '02109', + '02110', + '02111', + '02112', + '02113', + '02114', + '02115', + '02116', + '02117', + '02118', + '02119', + '02120', + '02121', + '02122', + '02123', + '02124', + '02125', + '02126', + '02127', + '02128', + '02129', + '02130', + '02131', + '02132', + '02133', + '02134', + '02135', + '02136', + '02137', + '02138', + '02139', + '02140', + '02141', + '02142', + '02143', + '02144', + '02145', + '02146', + '02147', + '02148', + '02149', + '02150', + '02151', + '02152', + '02153', + '02154', + '02155', + '02156', + '02157', + '02158', + '02159', + '02160', + '02161', + '02162', + '02163', + '02164', + '02165', + '02166', + '02167', + '02168', + '02169', + '02170', + '02171', + '02172', + '02173', + '02174', + '02175', + '02176', + '02177', + '02178', + '02179', + '02180', + '02181', + '02182', + '02183', + '02184', + '02185', + '02186', + '02187', + '02188', + '02189', + '02190', + '02191', + '02192', + '02193', + '02194', + '02195', + '02196', + '02197', + '02198', + '02199', + '02200', + '02201', + '02202', + '02203', + '02204', + '02205', + '02206', + '02207', + '02208', + '02209', + '02210', + '02211', + '02212', + '02213', + '02214', + '02215', + '02216', + '02217', + '02218', + '02219', + '02220', + '02221', + '02222', + '02223', + '02224', + '02225', + '02226', + '02227', + '02228', + '02229', + '02230', + '02231', + '02232', + '02233', + '02234', + '02235', + '02236', + '02237', + '02238', + '02239', + '02240', + '02241', + '02242', + '02243', + '02244', + '02245', + '02246', + '02247', + '02248', + '02249', + '02250', + '02251', + '02252', + '02253', + '02254', + '02255', + '02256', + '02257', + '02258', + '02259', + '02260', + '02261', + '02262', + '02263', + '02264', + '02265', + '02266', + '02267', + '02268', + '02269', + '02270', + '02271', + '02272', + '02273', + '02274', + '02275', + '02276', + '02277', + '02278', + '02279', + '02280', + '02281', + '02282', + '02283', + '02284', + '02285', + '02286', + '02287', + '02288', + '02289', + '02290', + '02291', + '02292', + '02293', + '02294', + '02295', + '02296', + '02297', + '02298', + '02299', + '02300', + '02301', + '02302', + '02303', + '02304', + '02305', + '02306', + '02307', + '02308', + '02309', + '02310', + '02311', + '02312', + '02313', + '02314', + '02315', + '02316', + '02317', + '02318', + '02319', + '02320', + '02321', + '02322', + '02323', + '02324', + '02325', + '02326', + '02327', + '02328', + '02329', + '02330', + '02331', + '02332', + '02333', + '02334', + '02335', + '02336', + '02337', + '02338', + '02339', + '02340', + '02341', + '02342', + '02343', + '02344', + '02345', + '02346', + '02347', + '02348', + '02349', + '02350', + '02351', + '02352', + '02353', + '02354', + '02355', + '02356', + '02357', + '02358', + '02359', + '02360', + '02361', + '02362', + '02363', + '02364', + '02365', + '02366', + '02367', + '02368', + '02369', + '02370', + '02371', + '02372', + '02373', + '02374', + '02375', + '02376', + '02377', + '02378', + '02379', + '02380', + '02381', + '02382', + '02383', + '02384', + '02385', + '02386', + '02387', + '02388', + '02389', + '02390', + '02391', + '02392', + '02393', + '02394', + '02395', + '02396', + '02397', + '02398', + '02399', + '02400', + '02401', + '02402', + '02403', + '02404', + '02405', + '02406', + '02407', + '02408', + '02409', + '02410', + '02411', + '02412', + '02413', + '02414', + '02415', + '02416', + '02417', + '02418', + '02419', + '02420', + '02421', + '02422', + '02423', + '02424', + '02425', + '02426', + '02427', + '02428', + '02429', + '02430', + '02431', + '02432', + '02433', + '02434', + '02435', + '02436', + '02437', + '02438', + '02439', + '02440', + '02441', + '02442', + '02443', + '02444', + '02445', + '02446', + '02447', + '02448', + '02449', + '02450', + '02451', + '02452', + '02453', + '02454', + '02455', + '02456', + '02457', + '02458', + '02459', + '02460', + '02461', + '02462', + '02463', + '02464', + '02465', + '02466', + '02467', + '02468', + '02469', + '02470', + '02471', + '02472', + '02473', + '02474', + '02475', + '02476', + '02477', + '02478', + '02479', + '02480', + '02481', + '02482', + '02483', + '02484', + '02485', + '02486', + '02487', + '02488', + '02489', + '02490', + '02491', + '02492', + '02493', + '02494', + '02495', + '02496', + '02497', + '02498', + '02499', + '02500', + '02501', + '02502', + '02503', + '02504', + '02505', + '02506', + '02507', + '02508', + '02509', + '02510', + '02511', + '02512', + '02513', + '02514', + '02515', + '02516', + '02517', + '02518', + '02519', + '02520', + '02521', + '02522', + '02523', + '02524', + '02525', + '02526', + '02527', + '02528', + '02529', + '02530', + '02531', + '02532', + '02533', + '02534', + '02535', + '02536', + '02537', + '02538', + '02539', + '02540', + '02541', + '02542', + '02543', + '02544', + '02545', + '02546', + '02547', + '02548', + '02549', + '02550', + '02551', + '02552', + '02553', + '02554', + '02555', + '02556', + '02557', + '02558', + '02559', + '02560', + '02561', + '02562', + '02563', + '02564', + '02565', + '02566', + '02567', + '02568', + '02569', + '02570', + '02571', + '02572', + '02573', + '02574', + '02575', + '02576', + '02577', + '02578', + '02579', + '02580', + '02581', + '02582', + '02583', + '02584', + '02585', + '02586', + '02587', + '02588', + '02589', + '02590', + '02591', + '02592', + '02593', + '02594', + '02595', + '02596', + '02597', + '02598', + '02599', + '02600', + '02601', + '02602', + '02603', + '02604', + '02605', + '02606', + '02607', + '02608', + '02609', + '02610', + '02611', + '02612', + '02613', + '02614', + '02615', + '02616', + '02617', + '02618', + '02619', + '02620', + '02621', + '02622', + '02623', + '02624', + '02625', + '02626', + '02627', + '02628', + '02629', + '02630', + '02631', + '02632', + '02633', + '02634', + '02635', + '02636', + '02637', + '02638', + '02639', + '02640', + '02641', + '02642', + '02643', + '02644', + '02645', + '02646', + '02647', + '02648', + '02649', + '02650', + '02651', + '02652', + '02653', + '02654', + '02655', + '02656', + '02657', + '02658', + '02659', + '02660', + '02661', + '02662', + '02663', + '02664', + '02665', + '02666', + '02667', + '02668', + '02669', + '02670', + '02671', + '02672', + '02673', + '02674', + '02675', + '02676', + '02677', + '02678', + '02679', + '02680', + '02681', + '02682', + '02683', + '02684', + '02685', + '02686', + '02687', + '02688', + '02689', + '02690', + '02691', + '02692', + '02693', + '02694', + '02695', + '02696', + '02697', + '02698', + '02699', + '02700', + '02701', + '02702', + '02703', + '02704', + '02705', + '02706', + '02707', + '02708', + '02709', + '02710', + '02711', + '02712', + '02713', + '02714', + '02715', + '02716', + '02717', + '02718', + '02719', + '02720', + '02721', + '02722', + '02723', + '02724', + '02725', + '02726', + '02727', + '02728', + '02729', + '02730', + '02731', + '02732', + '02733', + '02734', + '02735', + '02736', + '02737', + '02738', + '02739', + '02740', + '02741', + '02742', + '02743', + '02744', + '02745', + '02746', + '02747', + '02748', + '02749', + '02750', + '02751', + '02752', + '02753', + '02754', + '02755', + '02756', + '02757', + '02758', + '02759', + '02760', + '02761', + '02762', + '02763', + '02764', + '02765', + '02766', + '02767', + '02768', + '02769', + '02770', + '02771', + '02772', + '02773', + '02774', + '02775', + '02776', + '02777', + '02778', + '02779', + '02780', + '02781', + '02782', + '02783', + '02784', + '02785', + '02786', + '02787', + '02788', + '02789', + '02790', + '02791', + '02792', + '02793', + '02794', + '02795', + '02796', + '02797', + '02798', + '02799', + '02800', + '02801', + '02802', + '02803', + '02804', + '02805', + '02806', + '02807', + '02808', + '02809', + '02810', + '02811', + '02812', + '02813', + '02814', + '02815', + '02816', + '02817', + '02818', + '02819', + '02820', + '02821', + '02822', + '02823', + '02824', + '02825', + '02826', + '02827', + '02828', + '02829', + '02830', + '02831', + '02832', + '02833', + '02834', + '02835', + '02836', + '02837', + '02838', + '02839', + '02840', + '02841', + '02842', + '02843', + '02844', + '02845', + '02846', + '02847', + '02848', + '02849', + '02850', + '02851', + '02852', + '02853', + '02854', + '02855', + '02856', + '02857', + '02858', + '02859', + '02860', + '02861', + '02862', + '02863', + '02864', + '02865', + '02866', + '02867', + '02868', + '02869', + '02870', + '02871', + '02872', + '02873', + '02874', + '02875', + '02876', + '02877', + '02878', + '02879', + '02880', + '02881', + '02882', + '02883', + '02884', + '02885', + '02886', + '02887', + '02888', + '02889', + '02890', + '02891', + '02892', + '02893', + '02894', + '02895', + '02896', + '02897', + '02898', + '02899', + '02900', + '02901', + '02902', + '02903', + '02904', + '02905', + '02906', + '02907', + '02908', + '02909', + '02910', + '02911', + '02912', + '02913', + '02914', + '02915', + '02916', + '02917', + '02918', + '02919', + '02920', + '02921', + '02922', + '02923', + '02924', + '02925', + '02926', + '02927', + '02928', + '02929', + '02930', + '02931', + '02932', + '02933', + '02934', + '02935', + '02936', + '02937', + '02938', + '02939', + '02940', + '02941', + '02942', + '02943', + '02944', + '02945', + '02946', + '02947', + '02948', + '02949', + '02950', + '02951', + '02952', + '02953', + '02954', + '02955', + '02956', + '02957', + '02958', + '02959', + '02960', + '02961', + '02962', + '02963', + '02964', + '02965', + '02966', + '02967', + '02968', + '02969', + '02970', + '02971', + '02972', + '02973', + '02974', + '02975', + '02976', + '02977', + '02978', + '02979', + '02980', + '02981', + '02982', + '02983', + '02984', + '02985', + '02986', + '02987', + '02988', + '02989', + '02990', + '02991', + '02992', + '02993', + '02994', + '02995', + '02996', + '02997', + '02998', + '02999', + '03000', + '03001', + '03002', + '03003', + '03004', + '03005', + '03006', + '03007', + '03008', + '03009', + '03010', + '03011', + '03012', + '03013', + '03014', + '03015', + '03016', + '03017', + '03018', + '03019', + '03020', + '03021', + '03022', + '03023', + '03024', + '03025', + '03026', + '03027', + '03028', + '03029', + '03030', + '03031', + '03032', + '03033', + '03034', + '03035', + '03036', + '03037', + '03038', + '03039', + '03040', + '03041', + '03042', + '03043', + '03044', + '03045', + '03046', + '03047', + '03048', + '03049', + '03050', + '03051', + '03052', + '03053', + '03054', + '03055', + '03056', + '03057', + '03058', + '03059', + '03060', + '03061', + '03062', + '03063', + '03064', + '03065', + '03066', + '03067', + '03068', + '03069', + '03070', + '03071', + '03072', + '03073', + '03074', + '03075', + '03076', + '03077', + '03078', + '03079', + '03080', + '03081', + '03082', + '03083', + '03084', + '03085', + '03086', + '03087', + '03088', + '03089', + '03090', + '03091', + '03092', + '03093', + '03094', + '03095', + '03096', + '03097', + '03098', + '03099', + '03100', + '03101', + '03102', + '03103', + '03104', + '03105', + '03106', + '03107', + '03108', + '03109', + '03110', + '03111', + '03112', + '03113', + '03114', + '03115', + '03116', + '03117', + '03118', + '03119', + '03120', + '03121', + '03122', + '03123', + '03124', + '03125', + '03126', + '03127', + '03128', + '03129', + '03130', + '03131', + '03132', + '03133', + '03134', + '03135', + '03136', + '03137', + '03138', + '03139', + '03140', + '03141', + '03142', + '03143', + '03144', + '03145', + '03146', + '03147', + '03148', + '03149', + '03150', + '03151', + '03152', + '03153', + '03154', + '03155', + '03156', + '03157', + '03158', + '03159', + '03160', + '03161', + '03162', + '03163', + '03164', + '03165', + '03166', + '03167', + '03168', + '03169', + '03170', + '03171', + '03172', + '03173', + '03174', + '03175', + '03176', + '03177', + '03178', + '03179', + '03180', + '03181', + '03182', + '03183', + '03184', + '03185', + '03186', + '03187', + '03188', + '03189', + '03190', + '03191', + '03192', + '03193', + '03194', + '03195', + '03196', + '03197', + '03198', + '03199', + '03200', + '03201', + '03202', + '03203', + '03204', + '03205', + '03206', + '03207', + '03208', + '03209', + '03210', + '03211', + '03212', + '03213', + '03214', + '03215', + '03216', + '03217', + '03218', + '03219', + '03220', + '03221', + '03222', + '03223', + '03224', + '03225', + '03226', + '03227', + '03228', + '03229', + '03230', + '03231', + '03232', + '03233', + '03234', + '03235', + '03236', + '03237', + '03238', + '03239', + '03240', + '03241', + '03242', + '03243', + '03244', + '03245', + '03246', + '03247', + '03248', + '03249', + '03250', + '03251', + '03252', + '03253', + '03254', + '03255', + '03256', + '03257', + '03258', + '03259', + '03260', + '03261', + '03262', + '03263', + '03264', + '03265', + '03266', + '03267', + '03268', + '03269', + '03270', + '03271', + '03272', + '03273', + '03274', + '03275', + '03276', + '03277', + '03278', + '03279', + '03280', + '03281', + '03282', + '03283', + '03284', + '03285', + '03286', + '03287', + '03288', + '03289', + '03290', + '03291', + '03292', + '03293', + '03294', + '03295', + '03296', + '03297', + '03298', + '03299', + '03300', + '03301', + '03302', + '03303', + '03304', + '03305', + '03306', + '03307', + '03308', + '03309', + '03310', + '03311', + '03312', + '03313', + '03314', + '03315', + '03316', + '03317', + '03318', + '03319', + '03320', + '03321', + '03322', + '03323', + '03324', + '03325', + '03326', + '03327', + '03328', + '03329', + '03330', + '03331', + '03332', + '03333', + '03334', + '03335', + '03336', + '03337', + '03338', + '03339', + '03340', + '03341', + '03342', + '03343', + '03344', + '03345', + '03346', + '03347', + '03348', + '03349', + '03350', + '03351', + '03352', + '03353', + '03354', + '03355', + '03356', + '03357', + '03358', + '03359', + '03360', + '03361', + '03362', + '03363', + '03364', + '03365', + '03366', + '03367', + '03368', + '03369', + '03370', + '03371', + '03372', + '03373', + '03374', + '03375', + '03376', + '03377', + '03378', + '03379', + '03380', + '03381', + '03382', + '03383', + '03384', + '03385', + '03386', + '03387', + '03388', + '03389', + '03390', + '03391', + '03392', + '03393', + '03394', + '03395', + '03396', + '03397', + '03398', + '03399', + '03400', + '03401', + '03402', + '03403', + '03404', + '03405', + '03406', + '03407', + '03408', + '03409', + '03410', + '03411', + '03412', + '03413', + '03414', + '03415', + '03416', + '03417', + '03418', + '03419', + '03420', + '03421', + '03422', + '03423', + '03424', + '03425', + '03426', + '03427', + '03428', + '03429', + '03430', + '03431', + '03432', + '03433', + '03434', + '03435', + '03436', + '03437', + '03438', + '03439', + '03440', + '03441', + '03442', + '03443', + '03444', + '03445', + '03446', + '03447', + '03448', + '03449', + '03450', + '03451', + '03452', + '03453', + '03454', + '03455', + '03456', + '03457', + '03458', + '03459', + '03460', + '03461', + '03462', + '03463', + '03464', + '03465', + '03466', + '03467', + '03468', + '03469', + '03470', + '03471', + '03472', + '03473', + '03474', + '03475', + '03476', + '03477', + '03478', + '03479', + '03480', + '03481', + '03482', + '03483', + '03484', + '03485', + '03486', + '03487', + '03488', + '03489', + '03490', + '03491', + '03492', + '03493', + '03494', + '03495', + '03496', + '03497', + '03498', + '03499', + '03500', + '03501', + '03502', + '03503', + '03504', + '03505', + '03506', + '03507', + '03508', + '03509', + '03510', + '03511', + '03512', + '03513', + '03514', + '03515', + '03516', + '03517', + '03518', + '03519', + '03520', + '03521', + '03522', + '03523', + '03524', + '03525', + '03526', + '03527', + '03528', + '03529', + '03530', + '03531', + '03532', + '03533', + '03534', + '03535', + '03536', + '03537', + '03538', + '03539', + '03540', + '03541', + '03542', + '03543', + '03544', + '03545', + '03546', + '03547', + '03548', + '03549', + '03550', + '03551', + '03552', + '03553', + '03554', + '03555', + '03556', + '03557', + '03558', + '03559', + '03560', + '03561', + '03562', + '03563', + '03564', + '03565', + '03566', + '03567', + '03568', + '03569', + '03570', + '03571', + '03572', + '03573', + '03574', + '03575', + '03576', + '03577', + '03578', + '03579', + '03580', + '03581', + '03582', + '03583', + '03584', + '03585', + '03586', + '03587', + '03588', + '03589', + '03590', + '03591', + '03592', + '03593', + '03594', + '03595', + '03596', + '03597', + '03598', + '03599', + '03600', + '03601', + '03602', + '03603', + '03604', + '03605', + '03606', + '03607', + '03608', + '03609', + '03610', + '03611', + '03612', + '03613', + '03614', + '03615', + '03616', + '03617', + '03618', + '03619', + '03620', + '03621', + '03622', + '03623', + '03624', + '03625', + '03626', + '03627', + '03628', + '03629', + '03630', + '03631', + '03632', + '03633', + '03634', + '03635', + '03636', + '03637', + '03638', + '03639', + '03640', + '03641', + '03642', + '03643', + '03644', + '03645', + '03646', + '03647', + '03648', + '03649', + '03650', + '03651', + '03652', + '03653', + '03654', + '03655', + '03656', + '03657', + '03658', + '03659', + '03660', + '03661', + '03662', + '03663', + '03664', + '03665', + '03666', + '03667', + '03668', + '03669', + '03670', + '03671', + '03672', + '03673', + '03674', + '03675', + '03676', + '03677', + '03678', + '03679', + '03680', + '03681', + '03682', + '03683', + '03684', + '03685', + '03686', + '03687', + '03688', + '03689', + '03690', + '03691', + '03692', + '03693', + '03694', + '03695', + '03696', + '03697', + '03698', + '03699', + '03700', + '03701', + '03702', + '03703', + '03704', + '03705', + '03706', + '03707', + '03708', + '03709', + '03710', + '03711', + '03712', + '03713', + '03714', + '03715', + '03716', + '03717', + '03718', + '03719', + '03720', + '03721', + '03722', + '03723', + '03724', + '03725', + '03726', + '03727', + '03728', + '03729', + '03730', + '03731', + '03732', + '03733', + '03734', + '03735', + '03736', + '03737', + '03738', + '03739', + '03740', + '03741', + '03742', + '03743', + '03744', + '03745', + '03746', + '03747', + '03748', + '03749', + '03750', + '03751', + '03752', + '03753', + '03754', + '03755', + '03756', + '03757', + '03758', + '03759', + '03760', + '03761', + '03762', + '03763', + '03764', + '03765', + '03766', + '03767', + '03768', + '03769', + '03770', + '03771', + '03772', + '03773', + '03774', + '03775', + '03776', + '03777', + '03778', + '03779', + '03780', + '03781', + '03782', + '03783', + '03784', + '03785', + '03786', + '03787', + '03788', + '03789', + '03790', + '03791', + '03792', + '03793', + '03794', + '03795', + '03796', + '03797', + '03798', + '03799', + '03800', + '03801', + '03802', + '03803', + '03804', + '03805', + '03806', + '03807', + '03808', + '03809', + '03810', + '03811', + '03812', + '03813', + '03814', + '03815', + '03816', + '03817', + '03818', + '03819', + '03820', + '03821', + '03822', + '03823', + '03824', + '03825', + '03826', + '03827', + '03828', + '03829', + '03830', + '03831', + '03832', + '03833', + '03834', + '03835', + '03836', + '03837', + '03838', + '03839', + '03840', + '03841', + '03842', + '03843', + '03844', + '03845', + '03846', + '03847', + '03848', + '03849', + '03850', + '03851', + '03852', + '03853', + '03854', + '03855', + '03856', + '03857', + '03858', + '03859', + '03860', + '03861', + '03862', + '03863', + '03864', + '03865', + '03866', + '03867', + '03868', + '03869', + '03870', + '03871', + '03872', + '03873', + '03874', + '03875', + '03876', + '03877', + '03878', + '03879', + '03880', + '03881', + '03882', + '03883', + '03884', + '03885', + '03886', + '03887', + '03888', + '03889', + '03890', + '03891', + '03892', + '03893', + '03894', + '03895', + '03896', + '03897', + '03898', + '03899', + '03900', + '03901', + '03902', + '03903', + '03904', + '03905', + '03906', + '03907', + '03908', + '03909', + '03910', + '03911', + '03912', + '03913', + '03914', + '03915', + '03916', + '03917', + '03918', + '03919', + '03920', + '03921', + '03922', + '03923', + '03924', + '03925', + '03926', + '03927', + '03928', + '03929', + '03930', + '03931', + '03932', + '03933', + '03934', + '03935', + '03936', + '03937', + '03938', + '03939', + '03940', + '03941', + '03942', + '03943', + '03944', + '03945', + '03946', + '03947', + '03948', + '03949', + '03950', + '03951', + '03952', + '03953', + '03954', + '03955', + '03956', + '03957', + '03958', + '03959', + '03960', + '03961', + '03962', + '03963', + '03964', + '03965', + '03966', + '03967', + '03968', + '03969', + '03970', + '03971', + '03972', + '03973', + '03974', + '03975', + '03976', + '03977', + '03978', + '03979', + '03980', + '03981', + '03982', + '03983', + '03984', + '03985', + '03986', + '03987', + '03988', + '03989', + '03990', + '03991', + '03992', + '03993', + '03994', + '03995', + '03996', + '03997', + '03998', + '03999', + '04000', + '04001', + '04002', + '04003', + '04004', + '04005', + '04006', + '04007', + '04008', + '04009', + '04010', + '04011', + '04012', + '04013', + '04014', + '04015', + '04016', + '04017', + '04018', + '04019', + '04020', + '04021', + '04022', + '04023', + '04024', + '04025', + '04026', + '04027', + '04028', + '04029', + '04030', + '04031', + '04032', + '04033', + '04034', + '04035', + '04036', + '04037', + '04038', + '04039', + '04040', + '04041', + '04042', + '04043', + '04044', + '04045', + '04046', + '04047', + '04048', + '04049', + '04050', + '04051', + '04052', + '04053', + '04054', + '04055', + '04056', + '04057', + '04058', + '04059', + '04060', + '04061', + '04062', + '04063', + '04064', + '04065', + '04066', + '04067', + '04068', + '04069', + '04070', + '04071', + '04072', + '04073', + '04074', + '04075', + '04076', + '04077', + '04078', + '04079', + '04080', + '04081', + '04082', + '04083', + '04084', + '04085', + '04086', + '04087', + '04088', + '04089', + '04090', + '04091', + '04092', + '04093', + '04094', + '04095', + '04096', + '04097', + '04098', + '04099', + '04100', + '04101', + '04102', + '04103', + '04104', + '04105', + '04106', + '04107', + '04108', + '04109', + '04110', + '04111', + '04112', + '04113', + '04114', + '04115', + '04116', + '04117', + '04118', + '04119', + '04120', + '04121', + '04122', + '04123', + '04124', + '04125', + '04126', + '04127', + '04128', + '04129', + '04130', + '04131', + '04132', + '04133', + '04134', + '04135', + '04136', + '04137', + '04138', + '04139', + '04140', + '04141', + '04142', + '04143', + '04144', + '04145', + '04146', + '04147', + '04148', + '04149', + '04150', + '04151', + '04152', + '04153', + '04154', + '04155', + '04156', + '04157', + '04158', + '04159', + '04160', + '04161', + '04162', + '04163', + '04164', + '04165', + '04166', + '04167', + '04168', + '04169', + '04170', + '04171', + '04172', + '04173', + '04174', + '04175', + '04176', + '04177', + '04178', + '04179', + '04180', + '04181', + '04182', + '04183', + '04184', + '04185', + '04186', + '04187', + '04188', + '04189', + '04190', + '04191', + '04192', + '04193', + '04194', + '04195', + '04196', + '04197', + '04198', + '04199', + '04200', + '04201', + '04202', + '04203', + '04204', + '04205', + '04206', + '04207', + '04208', + '04209', + '04210', + '04211', + '04212', + '04213', + '04214', + '04215', + '04216', + '04217', + '04218', + '04219', + '04220', + '04221', + '04222', + '04223', + '04224', + '04225', + '04226', + '04227', + '04228', + '04229', + '04230', + '04231', + '04232', + '04233', + '04234', + '04235', + '04236', + '04237', + '04238', + '04239', + '04240', + '04241', + '04242', + '04243', + '04244', + '04245', + '04246', + '04247', + '04248', + '04249', + '04250', + '04251', + '04252', + '04253', + '04254', + '04255', + '04256', + '04257', + '04258', + '04259', + '04260', + '04261', + '04262', + '04263', + '04264', + '04265', + '04266', + '04267', + '04268', + '04269', + '04270', + '04271', + '04272', + '04273', + '04274', + '04275', + '04276', + '04277', + '04278', + '04279', + '04280', + '04281', + '04282', + '04283', + '04284', + '04285', + '04286', + '04287', + '04288', + '04289', + '04290', + '04291', + '04292', + '04293', + '04294', + '04295', + '04296', + '04297', + '04298', + '04299', + '04300', + '04301', + '04302', + '04303', + '04304', + '04305', + '04306', + '04307', + '04308', + '04309', + '04310', + '04311', + '04312', + '04313', + '04314', + '04315', + '04316', + '04317', + '04318', + '04319', + '04320', + '04321', + '04322', + '04323', + '04324', + '04325', + '04326', + '04327', + '04328', + '04329', + '04330', + '04331', + '04332', + '04333', + '04334', + '04335', + '04336', + '04337', + '04338', + '04339', + '04340', + '04341', + '04342', + '04343', + '04344', + '04345', + '04346', + '04347', + '04348', + '04349', + '04350', + '04351', + '04352', + '04353', + '04354', + '04355', + '04356', + '04357', + '04358', + '04359', + '04360', + '04361', + '04362', + '04363', + '04364', + '04365', + '04366', + '04367', + '04368', + '04369', + '04370', + '04371', + '04372', + '04373', + '04374', + '04375', + '04376', + '04377', + '04378', + '04379', + '04380', + '04381', + '04382', + '04383', + '04384', + '04385', + '04386', + '04387', + '04388', + '04389', + '04390', + '04391', + '04392', + '04393', + '04394', + '04395', + '04396', + '04397', + '04398', + '04399', + '04400', + '04401', + '04402', + '04403', + '04404', + '04405', + '04406', + '04407', + '04408', + '04409', + '04410', + '04411', + '04412', + '04413', + '04414', + '04415', + '04416', + '04417', + '04418', + '04419', + '04420', + '04421', + '04422', + '04423', + '04424', + '04425', + '04426', + '04427', + '04428', + '04429', + '04430', + '04431', + '04432', + '04433', + '04434', + '04435', + '04436', + '04437', + '04438', + '04439', + '04440', + '04441', + '04442', + '04443', + '04444', + '04445', + '04446', + '04447', + '04448', + '04449', + '04450', + '04451', + '04452', + '04453', + '04454', + '04455', + '04456', + '04457', + '04458', + '04459', + '04460', + '04461', + '04462', + '04463', + '04464', + '04465', + '04466', + '04467', + '04468', + '04469', + '04470', + '04471', + '04472', + '04473', + '04474', + '04475', + '04476', + '04477', + '04478', + '04479', + '04480', + '04481', + '04482', + '04483', + '04484', + '04485', + '04486', + '04487', + '04488', + '04489', + '04490', + '04491', + '04492', + '04493', + '04494', + '04495', + '04496', + '04497', + '04498', + '04499', + '04500', + '04501', + '04502', + '04503', + '04504', + '04505', + '04506', + '04507', + '04508', + '04509', + '04510', + '04511', + '04512', + '04513', + '04514', + '04515', + '04516', + '04517', + '04518', + '04519', + '04520', + '04521', + '04522', + '04523', + '04524', + '04525', + '04526', + '04527', + '04528', + '04529', + '04530', + '04531', + '04532', + '04533', + '04534', + '04535', + '04536', + '04537', + '04538', + '04539', + '04540', + '04541', + '04542', + '04543', + '04544', + '04545', + '04546', + '04547', + '04548', + '04549', + '04550', + '04551', + '04552', + '04553', + '04554', + '04555', + '04556', + '04557', + '04558', + '04559', + '04560', + '04561', + '04562', + '04563', + '04564', + '04565', + '04566', + '04567', + '04568', + '04569', + '04570', + '04571', + '04572', + '04573', + '04574', + '04575', + '04576', + '04577', + '04578', + '04579', + '04580', + '04581', + '04582', + '04583', + '04584', + '04585', + '04586', + '04587', + '04588', + '04589', + '04590', + '04591', + '04592', + '04593', + '04594', + '04595', + '04596', + '04597', + '04598', + '04599', + '04600', + '04601', + '04602', + '04603', + '04604', + '04605', + '04606', + '04607', + '04608', + '04609', + '04610', + '04611', + '04612', + '04613', + '04614', + '04615', + '04616', + '04617', + '04618', + '04619', + '04620', + '04621', + '04622', + '04623', + '04624', + '04625', + '04626', + '04627', + '04628', + '04629', + '04630', + '04631', + '04632', + '04633', + '04634', + '04635', + '04636', + '04637', + '04638', + '04639', + '04640', + '04641', + '04642', + '04643', + '04644', + '04645', + '04646', + '04647', + '04648', + '04649', + '04650', + '04651', + '04652', + '04653', + '04654', + '04655', + '04656', + '04657', + '04658', + '04659', + '04660', + '04661', + '04662', + '04663', + '04664', + '04665', + '04666', + '04667', + '04668', + '04669', + '04670', + '04671', + '04672', + '04673', + '04674', + '04675', + '04676', + '04677', + '04678', + '04679', + '04680', + '04681', + '04682', + '04683', + '04684', + '04685', + '04686', + '04687', + '04688', + '04689', + '04690', + '04691', + '04692', + '04693', + '04694', + '04695', + '04696', + '04697', + '04698', + '04699', + '04700', + '04701', + '04702', + '04703', + '04704', + '04705', + '04706', + '04707', + '04708', + '04709', + '04710', + '04711', + '04712', + '04713', + '04714', + '04715', + '04716', + '04717', + '04718', + '04719', + '04720', + '04721', + '04722', + '04723', + '04724', + '04725', + '04726', + '04727', + '04728', + '04729', + '04730', + '04731', + '04732', + '04733', + '04734', + '04735', + '04736', + '04737', + '04738', + '04739', + '04740', + '04741', + '04742', + '04743', + '04744', + '04745', + '04746', + '04747', + '04748', + '04749', + '04750', + '04751', + '04752', + '04753', + '04754', + '04755', + '04756', + '04757', + '04758', + '04759', + '04760', + '04761', + '04762', + '04763', + '04764', + '04765', + '04766', + '04767', + '04768', + '04769', + '04770', + '04771', + '04772', + '04773', + '04774', + '04775', + '04776', + '04777', + '04778', + '04779', + '04780', + '04781', + '04782', + '04783', + '04784', + '04785', + '04786', + '04787', + '04788', + '04789', + '04790', + '04791', + '04792', + '04793', + '04794', + '04795', + '04796', + '04797', + '04798', + '04799', + '04800', + '04801', + '04802', + '04803', + '04804', + '04805', + '04806', + '04807', + '04808', + '04809', + '04810', + '04811', + '04812', + '04813', + '04814', + '04815', + '04816', + '04817', + '04818', + '04819', + '04820', + '04821', + '04822', + '04823', + '04824', + '04825', + '04826', + '04827', + '04828', + '04829', + '04830', + '04831', + '04832', + '04833', + '04834', + '04835', + '04836', + '04837', + '04838', + '04839', + '04840', + '04841', + '04842', + '04843', + '04844', + '04845', + '04846', + '04847', + '04848', + '04849', + '04850', + '04851', + '04852', + '04853', + '04854', + '04855', + '04856', + '04857', + '04858', + '04859', + '04860', + '04861', + '04862', + '04863', + '04864', + '04865', + '04866', + '04867', + '04868', + '04869', + '04870', + '04871', + '04872', + '04873', + '04874', + '04875', + '04876', + '04877', + '04878', + '04879', + '04880', + '04881', + '04882', + '04883', + '04884', + '04885', + '04886', + '04887', + '04888', + '04889', + '04890', + '04891', + '04892', + '04893', + '04894', + '04895', + '04896', + '04897', + '04898', + '04899', + '04900', + '04901', + '04902', + '04903', + '04904', + '04905', + '04906', + '04907', + '04908', + '04909', + '04910', + '04911', + '04912', + '04913', + '04914', + '04915', + '04916', + '04917', + '04918', + '04919', + '04920', + '04921', + '04922', + '04923', + '04924', + '04925', + '04926', + '04927', + '04928', + '04929', + '04930', + '04931', + '04932', + '04933', + '04934', + '04935', + '04936', + '04937', + '04938', + '04939', + '04940', + '04941', + '04942', + '04943', + '04944', + '04945', + '04946', + '04947', + '04948', + '04949', + '04950', + '04951', + '04952', + '04953', + '04954', + '04955', + '04956', + '04957', + '04958', + '04959', + '04960', + '04961', + '04962', + '04963', + '04964', + '04965', + '04966', + '04967', + '04968', + '04969', + '04970', + '04971', + '04972', + '04973', + '04974', + '04975', + '04976', + '04977', + '04978', + '04979', + '04980', + '04981', + '04982', + '04983', + '04984', + '04985', + '04986', + '04987', + '04988', + '04989', + '04990', + '04991', + '04992', + '04993', + '04994', + '04995', + '04996', + '04997', + '04998', + '04999', + '05000']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-TEST-last-affected-01', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['https://osv-test/repo/url'], + 'public': True, + 'purl': [], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '01', + 'affected', + 'affected-01', + 'git', + 'https', + 'https://osv-test/repo/url', + 'last', + 'last-affected', + 'last-affected-01', + 'osv', + 'osv-test', + 'osv-test-last', + 'osv-test-last-affected', + 'osv-test-last-affected-01', + 'osv-test/repo/url', + 'repo', + 'test', + 'test-last', + 'test-last-affected', + 'test-last-affected-01', + 'url'], + 'search_tags': ['https://osv-test/repo/url', 'osv-test-last-affected-01'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-TEST-last-affected-01.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_last_affected_git.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_last_affected_git.txt new file mode 100644 index 00000000000..f3b59017be9 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_last_affected_git.txt @@ -0,0 +1,66 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '0-2'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'last_affected', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': ['v0.1.1', 'v0.2']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-TEST-last-affected-01', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': [], + 'public': True, + 'purl': [], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '01', + 'affected', + 'affected-01', + 'git', + 'https://osv-test/repo/url', + 'last', + 'last-affected', + 'last-affected-01', + 'osv', + 'osv-test', + 'osv-test-last', + 'osv-test-last-affected', + 'osv-test-last-affected-01', + 'osv-test/repo/url', + 'repo', + 'test', + 'test-last', + 'test-last-affected', + 'test-last-affected-01', + 'url'], + 'search_tags': ['osv-test-last-affected-01'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-TEST-last-affected-01.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi.txt new file mode 100644 index 00000000000..db898e1515c --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi.txt @@ -0,0 +1,63 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'PyPI', + 'name': 'scrapy', + 'purl': 'pkg:pypi/scrapy'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '1.14.2'}, + { 'type': 'fixed', + 'value': '1.31.0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}, + { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': []}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'PYSEC-456', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'PyPI'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['scrapy'], + 'public': True, + 'purl': ['pkg:pypi/scrapy'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '456', + 'git', + 'https://osv-test/repo/url', + 'osv-test/repo/url', + 'pypi', + 'pysec', + 'pysec-456', + 'repo', + 'scrapy', + 'url'], + 'search_tags': ['pysec-456', 'scrapy'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:PYSEC-456.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability in an unnormalized package', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt new file mode 100644 index 00000000000..d97673f2dc1 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt @@ -0,0 +1 @@ +[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-456", "summary": "A vulnerability in an unnormalized package", "details": "Blah blah blah\\nBlah\\n", "modified": "2022-10-07T18:59:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "scrapy", "ecosystem": "PyPI"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": []}]}')] \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_pypi_pubsub_calls.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_pypi_pubsub_calls.txt new file mode 100644 index 00000000000..1180b274143 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_pypi_pubsub_calls.txt @@ -0,0 +1 @@ +[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-123", "summary": "A vulnerability", "details": "Blah blah blah\\nBlah\\n", "modified": "3000-01-01T00:00:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "grpcio", "ecosystem": "PyPI"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": ["1.14.2", "1.15.0", "1.15.0rc1", "1.16.0", "1.16.0rc1", "1.16.1", "1.17.0", "1.17.1", "1.18.0", "1.19.0", "1.20.0", "1.20.0rc1", "1.20.0rc2", "1.20.0rc3", "1.20.1", "1.21.0rc1", "1.21.1", "1.21.1rc1", "1.22.0", "1.22.0rc1", "1.22.1", "1.23.0", "1.23.0rc1", "1.23.1", "1.24.0", "1.24.0rc1", "1.24.1", "1.24.3", "1.25.0", "1.25.0rc1", "1.26.0", "1.26.0rc1", "1.27.0rc1", "1.27.0rc2", "1.27.1", "1.27.2", "1.28.0rc1", "1.28.0rc2", "1.28.1", "1.29.0", "1.30.0"]}]}')] \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_ubuntu_severity_type.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_ubuntu_severity_type.txt new file mode 100644 index 00000000000..07664040628 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_ubuntu_severity_type.txt @@ -0,0 +1,437 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '3.11.0-12.19', + '3.12.0-1.3', + '3.12.0-2.5', + '3.12.0-2.7', + '3.12.0-3.8', + '3.12.0-3.9', + '3.12.0-4.10', + '3.12.0-4.12', + '3.12.0-5.13', + '3.12.0-7.15', + '3.13.0-1.16', + '3.13.0-10.30', + '3.13.0-100.147', + '3.13.0-101.148', + '3.13.0-103.150', + '3.13.0-105.152', + '3.13.0-106.153', + '3.13.0-107.154', + '3.13.0-108.155', + '3.13.0-109.156', + '3.13.0-11.31', + '3.13.0-110.157', + '3.13.0-111.158', + '3.13.0-112.159', + '3.13.0-113.160', + '3.13.0-115.162', + '3.13.0-116.163', + '3.13.0-117.164', + '3.13.0-119.166', + '3.13.0-12.32', + '3.13.0-121.170', + '3.13.0-123.172', + '3.13.0-125.174', + '3.13.0-126.175', + '3.13.0-128.177', + '3.13.0-129.178', + '3.13.0-13.33', + '3.13.0-132.181', + '3.13.0-133.182', + '3.13.0-135.184', + '3.13.0-137.186', + '3.13.0-139.188', + '3.13.0-14.34', + '3.13.0-141.190', + '3.13.0-142.191', + '3.13.0-143.192', + '3.13.0-144.193', + '3.13.0-145.194', + '3.13.0-147.196', + '3.13.0-149.199', + '3.13.0-15.35', + '3.13.0-151.201', + '3.13.0-153.203', + '3.13.0-155.205', + '3.13.0-156.206', + '3.13.0-157.207', + '3.13.0-158.208', + '3.13.0-16.36', + '3.13.0-160.210', + '3.13.0-161.211', + '3.13.0-162.212', + '3.13.0-163.213', + '3.13.0-164.214', + '3.13.0-165.215', + '3.13.0-166.216', + '3.13.0-167.217', + '3.13.0-168.218', + '3.13.0-169.219', + '3.13.0-17.37', + '3.13.0-170.220', + '3.13.0-173.224', + '3.13.0-174.225', + '3.13.0-175.226', + '3.13.0-176.227', + '3.13.0-18.38', + '3.13.0-180.231', + '3.13.0-181.232', + '3.13.0-182.233', + '3.13.0-183.234', + '3.13.0-184.235', + '3.13.0-185.236', + '3.13.0-186.237', + '3.13.0-187.238', + '3.13.0-188.239', + '3.13.0-189.240', + '3.13.0-19.39', + '3.13.0-19.40', + '3.13.0-190.241', + '3.13.0-191.242', + '3.13.0-192.243', + '3.13.0-193.244', + '3.13.0-194.245', + '3.13.0-195.246', + '3.13.0-196.247', + '3.13.0-197.248', + '3.13.0-198.249', + '3.13.0-199.250', + '3.13.0-2.17', + '3.13.0-20.42', + '3.13.0-200.251', + '3.13.0-201.252', + '3.13.0-202.253', + '3.13.0-203.254', + '3.13.0-204.255', + '3.13.0-205.256', + '3.13.0-206.257', + '3.13.0-21.43', + '3.13.0-22.44', + '3.13.0-23.45', + '3.13.0-24.46', + '3.13.0-24.47', + '3.13.0-27.50', + '3.13.0-29.53', + '3.13.0-3.18', + '3.13.0-30.54', + '3.13.0-30.55', + '3.13.0-32.57', + '3.13.0-33.58', + '3.13.0-34.60', + '3.13.0-35.62', + '3.13.0-36.63', + '3.13.0-37.64', + '3.13.0-39.66', + '3.13.0-4.19', + '3.13.0-40.69', + '3.13.0-41.70', + '3.13.0-43.72', + '3.13.0-44.73', + '3.13.0-45.74', + '3.13.0-46.75', + '3.13.0-46.76', + '3.13.0-46.77', + '3.13.0-46.79', + '3.13.0-48.80', + '3.13.0-49.81', + '3.13.0-49.83', + '3.13.0-5.20', + '3.13.0-51.84', + '3.13.0-52.85', + '3.13.0-52.86', + '3.13.0-53.88', + '3.13.0-53.89', + '3.13.0-54.91', + '3.13.0-55.92', + '3.13.0-55.94', + '3.13.0-57.95', + '3.13.0-58.97', + '3.13.0-59.98', + '3.13.0-6.23', + '3.13.0-61.100', + '3.13.0-62.102', + '3.13.0-63.103', + '3.13.0-65.105', + '3.13.0-65.106', + '3.13.0-66.108', + '3.13.0-67.110', + '3.13.0-68.111', + '3.13.0-7.25', + '3.13.0-7.26', + '3.13.0-70.113', + '3.13.0-71.114', + '3.13.0-73.116', + '3.13.0-74.118', + '3.13.0-76.120', + '3.13.0-77.121', + '3.13.0-79.123', + '3.13.0-8.27', + '3.13.0-8.28', + '3.13.0-83.127', + '3.13.0-85.129', + '3.13.0-86.130', + '3.13.0-86.131', + '3.13.0-87.133', + '3.13.0-88.135', + '3.13.0-91.138', + '3.13.0-92.139', + '3.13.0-93.140', + '3.13.0-95.142', + '3.13.0-96.143', + '3.13.0-98.145'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Ubuntu:Pro:14.04:LTS', + 'name': 'linux', + 'purl': 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '3.11.0-12.19', + '3.12.0-1.3', + '3.12.0-2.5', + '3.12.0-2.7', + '3.12.0-3.8', + '3.12.0-3.9', + '3.12.0-4.10', + '3.12.0-4.12', + '3.12.0-5.13', + '3.12.0-7.15', + '3.13.0-1.16', + '3.13.0-2.17', + '3.13.0-3.18', + '3.13.0-4.19', + '3.13.0-5.20', + '3.13.0-6.23', + '3.13.0-7.25', + '3.13.0-7.26', + '3.13.0-8.27', + '3.13.0-8.28', + '3.13.0-10.30', + '3.13.0-11.31', + '3.13.0-12.32', + '3.13.0-13.33', + '3.13.0-14.34', + '3.13.0-15.35', + '3.13.0-16.36', + '3.13.0-17.37', + '3.13.0-18.38', + '3.13.0-19.39', + '3.13.0-19.40', + '3.13.0-20.42', + '3.13.0-21.43', + '3.13.0-22.44', + '3.13.0-23.45', + '3.13.0-24.46', + '3.13.0-24.47', + '3.13.0-27.50', + '3.13.0-29.53', + '3.13.0-30.54', + '3.13.0-30.55', + '3.13.0-32.57', + '3.13.0-33.58', + '3.13.0-34.60', + '3.13.0-35.62', + '3.13.0-36.63', + '3.13.0-37.64', + '3.13.0-39.66', + '3.13.0-40.69', + '3.13.0-41.70', + '3.13.0-43.72', + '3.13.0-44.73', + '3.13.0-45.74', + '3.13.0-46.75', + '3.13.0-46.76', + '3.13.0-46.77', + '3.13.0-46.79', + '3.13.0-48.80', + '3.13.0-49.81', + '3.13.0-49.83', + '3.13.0-51.84', + '3.13.0-52.85', + '3.13.0-52.86', + '3.13.0-53.88', + '3.13.0-53.89', + '3.13.0-54.91', + '3.13.0-55.92', + '3.13.0-55.94', + '3.13.0-57.95', + '3.13.0-58.97', + '3.13.0-59.98', + '3.13.0-61.100', + '3.13.0-62.102', + '3.13.0-63.103', + '3.13.0-65.105', + '3.13.0-65.106', + '3.13.0-66.108', + '3.13.0-67.110', + '3.13.0-68.111', + '3.13.0-70.113', + '3.13.0-71.114', + '3.13.0-73.116', + '3.13.0-74.118', + '3.13.0-76.120', + '3.13.0-77.121', + '3.13.0-79.123', + '3.13.0-83.127', + '3.13.0-85.129', + '3.13.0-86.130', + '3.13.0-86.131', + '3.13.0-87.133', + '3.13.0-88.135', + '3.13.0-91.138', + '3.13.0-92.139', + '3.13.0-93.140', + '3.13.0-95.142', + '3.13.0-96.143', + '3.13.0-98.145', + '3.13.0-100.147', + '3.13.0-101.148', + '3.13.0-103.150', + '3.13.0-105.152', + '3.13.0-106.153', + '3.13.0-107.154', + '3.13.0-108.155', + '3.13.0-109.156', + '3.13.0-110.157', + '3.13.0-111.158', + '3.13.0-112.159', + '3.13.0-113.160', + '3.13.0-115.162', + '3.13.0-116.163', + '3.13.0-117.164', + '3.13.0-119.166', + '3.13.0-121.170', + '3.13.0-123.172', + '3.13.0-125.174', + '3.13.0-126.175', + '3.13.0-128.177', + '3.13.0-129.178', + '3.13.0-132.181', + '3.13.0-133.182', + '3.13.0-135.184', + '3.13.0-137.186', + '3.13.0-139.188', + '3.13.0-141.190', + '3.13.0-142.191', + '3.13.0-143.192', + '3.13.0-144.193', + '3.13.0-145.194', + '3.13.0-147.196', + '3.13.0-149.199', + '3.13.0-151.201', + '3.13.0-153.203', + '3.13.0-155.205', + '3.13.0-156.206', + '3.13.0-157.207', + '3.13.0-158.208', + '3.13.0-160.210', + '3.13.0-161.211', + '3.13.0-162.212', + '3.13.0-163.213', + '3.13.0-164.214', + '3.13.0-165.215', + '3.13.0-166.216', + '3.13.0-167.217', + '3.13.0-168.218', + '3.13.0-169.219', + '3.13.0-170.220', + '3.13.0-173.224', + '3.13.0-174.225', + '3.13.0-175.226', + '3.13.0-176.227', + '3.13.0-180.231', + '3.13.0-181.232', + '3.13.0-182.233', + '3.13.0-183.234', + '3.13.0-184.235', + '3.13.0-185.236', + '3.13.0-186.237', + '3.13.0-187.238', + '3.13.0-188.239', + '3.13.0-189.240', + '3.13.0-190.241', + '3.13.0-191.242', + '3.13.0-192.243', + '3.13.0-193.244', + '3.13.0-194.245', + '3.13.0-195.246', + '3.13.0-196.247', + '3.13.0-197.248', + '3.13.0-198.249', + '3.13.0-199.250', + '3.13.0-200.251', + '3.13.0-201.252', + '3.13.0-202.253', + '3.13.0-203.254', + '3.13.0-204.255', + '3.13.0-205.256', + '3.13.0-206.257']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'UBUNTU-CVE-2025-38094', + 'details': 'In the Linux kernel, the following vulnerability has been ' + 'resolved: net: cadence: macb: Fix a possible deadlock in ' + 'macb_halt_tx. There is a situation where after THALT is set ' + 'high, TGO stays high as well. Because jiffies are never ' + 'updated, as we are in a context with interrupts disabled, we ' + 'never exit that loop and have a deadlock. That deadlock was ' + 'noticed on a sama5d4 device that stayed locked for days. Use ' + 'retries instead of jiffies so that the timeout really works ' + 'and we do not have a deadlock anymore.', + 'ecosystem': ['Ubuntu', 'Ubuntu:14.04', 'Ubuntu:Pro:14.04:LTS'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2025, 7, 4, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['linux'], + 'public': True, + 'purl': [ 'pkg:deb/ubuntu/linux@3.13.0-206.257', + 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'], + 'reference_url_types': { 'https://git.kernel.org/linus/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f': 'REPORT', + 'https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d': 'REPORT', + 'https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4': 'REPORT', + 'https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48': 'REPORT', + 'https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2': 'REPORT', + 'https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37': 'REPORT', + 'https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7': 'REPORT', + 'https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f': 'REPORT', + 'https://ubuntu.com/security/CVE-2025-38094': 'REPORT', + 'https://www.cve.org/CVERecord?id=CVE-2025-38094': 'REPORT'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '04', + '14', + '2025', + '2025-38094', + '38094', + 'cve', + 'cve-2025', + 'cve-2025-38094', + 'linux', + 'lts', + 'pro', + 'ubuntu', + 'ubuntu-cve', + 'ubuntu-cve-2025', + 'ubuntu-cve-2025-38094', + 'ubuntu:14.04', + 'ubuntu:pro:14.04:lts'], + 'search_tags': ['linux', 'ubuntu-cve-2025-38094'], + 'semver_fixed_indexes': [], + 'severities': [{'score': 'medium', 'type': 'Ubuntu'}], + 'source': 'source', + 'source_id': 'source:UBUNTU-CVE-2025-38094.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2025, 7, 4, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': ['CVE-2025-38094'], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update.txt new file mode 100644 index 00000000000..654da618d93 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update.txt @@ -0,0 +1,70 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [ { 'contact': ['mailto:foo@bar.com'], + 'name': 'Foo bar', + 'type': None}], + 'database_specific': {'specific': 1337.0}, + 'db_id': 'OSV-123', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': ['pkg:golang/blah.com/package'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '123', + 'blah', + 'blah.com/package', + 'com', + 'git', + 'go', + 'https://osv-test/repo/url', + 'osv', + 'osv-123', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-123'], + 'semver_fixed_indexes': [], + 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L', + 'type': 'CVSS_V3'}], + 'source': 'source', + 'source_id': 'source:OSV-123.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': None, + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_add_fix.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_add_fix.txt new file mode 100644 index 00000000000..a5ae0a7faa7 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_add_fix.txt @@ -0,0 +1,67 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-124', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': ['pkg:golang/blah.com/package'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '124', + 'blah', + 'blah.com/package', + 'com', + 'git', + 'go', + 'https://osv-test/repo/url', + 'osv', + 'osv-124', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-124'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-124.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': None, + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_alpine.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_alpine.txt new file mode 100644 index 00000000000..f1001d855f0 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_alpine.txt @@ -0,0 +1,689 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.15-r0', + '10.4.17-r0', + '10.4.17-r1', + '10.4.18-r0', + '10.4.19-r0', + '10.4.21-r0', + '10.4.22-r0', + '10.4.24-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.10-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.12', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.4.25-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.15-r0', + '10.4.17-r0', + '10.4.17-r1', + '10.4.18-r0', + '10.4.19-r0', + '10.4.21-r0', + '10.4.22-r0', + '10.4.24-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.13', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.5.16-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.10-r0', + '10.5.11-r0', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.14', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.5.16-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.15', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.6.8-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.16', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.6.8-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'CVE-2022-27449', + 'details': 'MariaDB Server v10.9 and below was discovered to contain a ' + 'segmentation fault via the component sql/item_func.cc:148.', + 'ecosystem': [ 'Alpine', + 'Alpine:v3.12', + 'Alpine:v3.13', + 'Alpine:v3.14', + 'Alpine:v3.15', + 'Alpine:v3.16'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['mariadb'], + 'public': True, + 'purl': ['pkg:alpine/mariadb'], + 'reference_url_types': { 'https://jira.mariadb.org/browse/MDEV-28089': 'WEB', + 'https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html': 'WEB', + 'https://security.netapp.com/advisory/ntap-20220526-0006/': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '12', + '13', + '14', + '15', + '16', + '2022', + '2022-27449', + '27449', + 'alpine', + 'alpine:v3.12', + 'alpine:v3.13', + 'alpine:v3.14', + 'alpine:v3.15', + 'alpine:v3.16', + 'cve', + 'cve-2022', + 'cve-2022-27449', + 'mariadb', + 'v3'], + 'search_tags': ['cve-2022-27449', 'mariadb'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:CVE-2022-27449.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2022, 4, 14, 13, 15, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bad_ecosystem_new.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bad_ecosystem_new.txt new file mode 100644 index 00000000000..d5828e36cba --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bad_ecosystem_new.txt @@ -0,0 +1,7 @@ +{ 'details': 'Blah blah blah\nBlah\n', + 'id': 'OSV-129', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_0.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_0.txt new file mode 100644 index 00000000000..184148e93f4 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_0.txt @@ -0,0 +1,104 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/runc/libcontainer/apparmor', + 'symbols': [ 'ApplyProfile']}, + { 'path': 'github.com/opencontainers/runc/libcontainer/utils', + 'symbols': [ 'CloseExecFrom']}]}, + 'package': { 'ecosystem': 'Go', + 'name': 'github.com/opencontainers/runc', + 'purl': 'pkg:golang/github.com/opencontainers/runc'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '1.0.0-rc8.0.20190930145003-cad42f6e0932'}], + 'repo_url': '', + 'type': 'SEMVER'}], + 'severities': [], + 'versions': []}, + { 'database_specific': None, + 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/selinux/go-selinux', + 'symbols': [ 'readCon', + 'writeCon']}]}, + 'package': { 'ecosystem': 'Go', + 'name': 'github.com/opencontainers/selinux', + 'purl': 'pkg:golang/github.com/opencontainers/selinux'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '1.3.1-0.20190929122143-5215b1806f52'}], + 'repo_url': '', + 'type': 'SEMVER'}], + 'severities': [], + 'versions': []}], + 'aliases': ['CVE-2019-16884', 'GHSA-fgv8-vj5c-2ppq'], + 'credits': [{'contact': [], 'name': 'Leopold Schabel', 'type': None}], + 'database_specific': {'url': 'https://pkg.go.dev/vuln/GO-2021-0085'}, + 'db_id': 'GO-2021-0085', + 'details': 'AppArmor restrictions may be bypassed due to improper ' + 'validation of mount targets, allowing a malicious image to ' + 'mount volumes over e.g. /proc.', + 'ecosystem': ['Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2023, 4, 3, 15, 57, 51, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': [ 'github.com/opencontainers/runc', + 'github.com/opencontainers/selinux'], + 'public': True, + 'purl': [ 'pkg:golang/github.com/opencontainers/runc', + 'pkg:golang/github.com/opencontainers/selinux'], + 'reference_url_types': { 'https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4': 'FIX', + 'https://github.com/opencontainers/runc/issues/2128': 'WEB', + 'https://github.com/opencontainers/runc/pull/2130': 'FIX', + 'https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da': 'FIX'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '0085', + '16884', + '2019', + '2019-16884', + '2021', + '2021-0085', + '2ppq', + 'com', + 'cve', + 'cve-2019', + 'cve-2019-16884', + 'fgv8', + 'fgv8-vj5c', + 'fgv8-vj5c-2ppq', + 'ghsa', + 'ghsa-fgv8', + 'ghsa-fgv8-vj5c', + 'ghsa-fgv8-vj5c-2ppq', + 'github', + 'github.com/opencontainers/runc', + 'github.com/opencontainers/selinux', + 'go', + 'go-2021', + 'go-2021-0085', + 'opencontainers', + 'runc', + 'selinux', + 'vj5c', + 'vj5c-2ppq'], + 'search_tags': [ 'github.com/opencontainers/runc', + 'github.com/opencontainers/selinux', + 'go-2021-0085'], + 'semver_fixed_indexes': [ '00000001.00000000.00000000-1rc8.00000000.120190930145003-cad42f6e0932', + '00000001.00000003.00000001-00000000.120190929122143-5215b1806f52'], + 'severities': [], + 'source': 'source', + 'source_id': 'source:a/b/test.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2021, 4, 14, 20, 4, 52, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_1.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_1.txt new file mode 100644 index 00000000000..73a984afc15 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_1.txt @@ -0,0 +1,50 @@ +{ 'affected': [], + 'affected_fuzzy': [], + 'affected_packages': [], + 'aliases': ['CVE-2019-19921'], + 'credits': [], + 'database_specific': None, + 'db_id': 'GO-2021-0087', + 'details': 'A race while mounting volumes allows a possible ' + 'symlink-exchange\n' + 'attack, allowing a user whom can start multiple containers ' + 'with\n' + 'custom volume mount configurations to escape the container.\n' + '\n', + 'ecosystem': [], + 'fixed': '', + 'has_affected': False, + 'import_last_modified': datetime.datetime(2021, 4, 14, 12, 0), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': datetime.datetime(2021, 4, 14, 12, 0), + 'project': [], + 'public': True, + 'purl': [], + 'reference_url_types': { 'https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0': 'FIX', + 'https://github.com/opencontainers/runc/issues/2197': 'WEB', + 'https://github.com/opencontainers/runc/pull/2207': 'FIX'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '0087', + '19921', + '2019', + '2019-19921', + '2021', + '2021-0087', + 'cve', + 'cve-2019', + 'cve-2019-19921', + 'go', + 'go-2021', + 'go-2021-0087'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:a/b/test.json', + 'source_of_truth': 2, + 'status': 2, + 'summary': '', + 'timestamp': datetime.datetime(2021, 4, 14, 12, 0), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_2.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_2.txt new file mode 100644 index 00000000000..9b228142cd0 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_2.txt @@ -0,0 +1,63 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['10', '11'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': { 'severity': 'High', + 'spl': '2021-10-01', + 'type': 'EoP'}, + 'package': { 'ecosystem': 'Android', + 'name': 'Media Framework', + 'purl': None}, + 'ranges': [], + 'severities': [], + 'versions': ['10', '11']}], + 'aliases': ['CVE-2021-0483'], + 'credits': [], + 'database_specific': None, + 'db_id': 'ASB-A-153358911', + 'details': '', + 'ecosystem': ['Android'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2021, 10, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['Media Framework'], + 'public': True, + 'purl': [], + 'reference_url_types': { 'https://android.googlesource.com/platform/frameworks/av/+/084077feb6b8c961adcbe77b2bd76601ca54e534': 'FIX', + 'https://android.googlesource.com/platform/frameworks/av/+/cc2165840d524bb9553f9d73d1904633d20100a2': 'FIX', + 'https://source.android.com/security/bulletin/2021-10-01#2021-10-01-security-patch-level-vulnerability-details': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '0483', + '153358911', + '2021', + '2021-0483', + 'a', + 'a-153358911', + 'android', + 'asb', + 'asb-a', + 'asb-a-153358911', + 'cve', + 'cve-2021', + 'cve-2021-0483', + 'framework', + 'media', + 'media framework'], + 'search_tags': ['asb-a-153358911', 'media framework'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:a/b/android-test.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'In multiple methods of AAudioService, there is a possible ' + 'use-after-free due to a race condition. This could lead to ' + 'local escalation of privilege with User execution privileges ' + 'needed. User interaction is not needed for exploitation.', + 'timestamp': DatetimeWithNanoseconds(2021, 10, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_cve.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_cve.txt new file mode 100644 index 00000000000..32722079b69 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_cve.txt @@ -0,0 +1,152 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1-2-1', + '1-2-2', + '1-2-3', + '1-2-4', + '1-2-5', + '1-2-6', + '1-3-0', + '1-3-1'], + 'affected_packages': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'line_hashes': [ '18066036635502801806677364178756254862', + '88369412895184753394283011451803187548', + '50848458948504730426650075084385046530', + '91284993680127737564993618090545145416', + '30779278950355321333621475605602830830', + '122421578121241373365155348152646941523', + '267652210589392654099845994262755826062', + '334808111126213430220547654602188383660', + '234389204524678077984531197469034242690', + '152880517379272209571165325006789878786', + '299871312446227378724863519270618301341', + '157634544376100154879962283397081738110', + '103663099829328578689797223848801574827', + '158563421165358858389893196995983570762', + '315965584007238676040631750953088200664'], + 'threshold': 0.9}, + 'id': 'CVE-2016-15011-929806e0', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '6674387965125354881111149989428882853', + '100741820504985357262218153349452233434', + '253366101641995550384755812786879052342', + '245037096886845520996519599411616661529', + '158852189579109359359946013476030639584', + '298614597347537877121532413760030558894', + '180181956682520524395173299138562004562', + '146502839243717526526406585366671557144', + '244996413515733361838850122849344525825', + '166554563875570093109470347687697544350', + '9427977046515615106319032886256396870', + '279044285883194738631442483325879094037', + '295198785562376785392477306514392217432', + '44714085523243422643465698936438435501', + '267608316591780380179772018605253867646', + '182074437577114148436758739432546664545', + '87621961972550109442760282702331746920', + '64897152403082006856773989396486955494', + '184138636401118235309885205539354874180', + '62633257528035095954429323509732904426'], + 'threshold': 0.9}, + 'id': 'CVE-2016-15011-bd561b7b', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java'}}, + { 'deprecated': False, + 'digest': { 'function_hash': '259495117689681377355427521574538727644', + 'length': 1591.0}, + 'id': 'CVE-2016-15011-d557e328', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java', + 'function': 'DigitalSignatureServiceMetadata'}}, + { 'deprecated': False, + 'digest': { 'function_hash': '249451297539985081987952306682300702892', + 'length': 4302.0}, + 'id': 'CVE-2016-15011-fcf07dd1', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java', + 'function': 'checkSignResponse'}}]}, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '001ef99b0c8194468de960d007e2d82dcebc3bca'}, + { 'type': 'fixed', + 'value': 'ec4238349691ec66dd30b416ec6eaab02d722302'}], + 'repo_url': 'https://github.com/e-contract/dssp', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'dssp-1.2.1', + 'dssp-1.2.2', + 'dssp-1.2.3', + 'dssp-1.2.4', + 'dssp-1.2.5', + 'dssp-1.2.6', + 'dssp-1.3.0', + 'dssp-1.3.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'CVE-2016-15011', + 'details': 'A vulnerability classified as problematic was found in ' + 'e-Contract dssp up to 1.3.1. Affected by this vulnerability is ' + 'the function checkSignResponse of the file ' + 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. ' + 'The manipulation leads to xml external entity reference. ' + 'Upgrading to version 1.3.2 is able to address this issue. The ' + 'identifier of the patch is ' + 'ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to ' + 'upgrade the affected component. The identifier VDB-217549 was ' + 'assigned to this vulnerability.', + 'ecosystem': ['GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2025, 7, 1, 21, 44, 41, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': [], + 'public': True, + 'purl': [], + 'reference_url_types': { 'https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302': 'FIX', + 'https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2': 'ADVISORY', + 'https://vuldb.com/?ctiid.217549': 'REPORT', + 'https://vuldb.com/?id.217549': 'REPORT'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '15011', + '2016', + '2016-15011', + 'cve', + 'cve-2016', + 'cve-2016-15011', + 'dssp', + 'e-contract', + 'git', + 'github.com/e-contract/dssp', + 'https://github.com/e-contract/dssp'], + 'search_tags': ['cve-2016-15011'], + 'semver_fixed_indexes': [], + 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', + 'type': 'CVSS_V3'}], + 'source': 'source', + 'source_id': 'source:a/b/CVE-2016-15011.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2023, 1, 6, 10, 15, 9, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_debian.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_debian.txt new file mode 100644 index 00000000000..5aebf710c03 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_debian.txt @@ -0,0 +1,95 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1.2.1-2.2', + '1.2.1-2.2+wheezy1', + '1.2.1-2.2+wheezy2', + '1.2.1-2.2+wheezy3~bpo60+1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Debian:7', + 'name': 'nginx', + 'purl': 'pkg:deb/debian/nginx?arch=source'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '1.2.1-2.2+wheezy3'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '1.2.1-2.2', + '1.2.1-2.2+wheezy1', + '1.2.1-2.2+wheezy2', + '1.2.1-2.2+wheezy3~bpo60+1']}], + 'aliases': ['CVE-2014-3616'], + 'credits': [], + 'database_specific': None, + 'db_id': 'DSA-3029-1', + 'details': '\n' + 'Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered ' + 'that it was\n' + 'possible to reuse cached SSL sessions in unrelated contexts, ' + 'allowing\n' + 'virtual host confusion attacks in some configurations by an ' + 'attacker in\n' + 'a privileged network position.\n' + '\n' + '\n' + 'For the stable distribution (wheezy), this problem has been ' + 'fixed in\n' + 'version 1.2.1-2.2+wheezy3.\n' + '\n' + '\n' + 'For the testing distribution (jessie), this problem has been ' + 'fixed in\n' + 'version 1.6.2-1.\n' + '\n' + '\n' + 'For the unstable distribution (sid), this problem has been ' + 'fixed in\n' + 'version 1.6.2-1.\n' + '\n' + '\n' + 'We recommend that you upgrade your nginx packages.\n' + '\n' + '\n', + 'ecosystem': ['Debian', 'Debian:7'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2014, 9, 20, 8, 18, 7, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['nginx'], + 'public': True, + 'purl': ['pkg:deb/debian/nginx', 'pkg:deb/debian/nginx?arch=source'], + 'reference_url_types': { 'https://www.debian.org/security/2014/dsa-3029': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '1', + '2014', + '2014-3616', + '3029', + '3029-1', + '3616', + '7', + 'cve', + 'cve-2014', + 'cve-2014-3616', + 'debian', + 'debian:7', + 'dsa', + 'dsa-3029', + 'dsa-3029-1', + 'nginx'], + 'search_tags': ['dsa-3029-1', 'nginx'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:DSA-3029-1.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'nginx - security update', + 'timestamp': DatetimeWithNanoseconds(2014, 9, 20, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_last_affected.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_last_affected.txt new file mode 100644 index 00000000000..eb8631f7074 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_last_affected.txt @@ -0,0 +1,129 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0', + '1.31.0'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '1.14.2'}, + { 'type': 'last_affected', + 'value': '1.31.0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0', + '1.31.0']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'PYSEC-124', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['PyPI'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['grpcio'], + 'public': True, + 'purl': ['pkg:pypi/grpcio'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': ['124', 'grpcio', 'pypi', 'pysec', 'pysec-124'], + 'search_tags': ['grpcio', 'pysec-124'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:PYSEC-124.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_limit.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_limit.txt new file mode 100644 index 00000000000..dc9a0912254 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_limit.txt @@ -0,0 +1,79 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1.13.0', + '1.14.0', + '1.14.0rc1', + '1.14.0rc2', + '1.14.1', + '1.14.2rc1', + 'branch-v0.1.1', + 'v0.1', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'limit', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}, + { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '1.13.0'}, + { 'type': 'limit', + 'value': '1.14.2'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + '1.13.0', + '1.14.0', + '1.14.0rc1', + '1.14.0rc2', + '1.14.1', + '1.14.2rc1', + 'v0.1', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-128', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'PyPI'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['grpcio'], + 'public': True, + 'purl': ['pkg:pypi/grpcio'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '128', + 'git', + 'grpcio', + 'https://osv-test/repo/url', + 'osv', + 'osv-128', + 'osv-test/repo/url', + 'pypi', + 'repo', + 'url'], + 'search_tags': ['grpcio', 'osv-128'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-128.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_linux.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_linux.txt new file mode 100644 index 00000000000..18dff8e75c6 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_linux.txt @@ -0,0 +1,52 @@ +{ 'affected': [], + 'affected_fuzzy': [], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Linux', + 'name': 'Kernel', + 'purl': None}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': []}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'LINUX-123', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT','Linux'], + 'fixed': '', + 'has_affected': False, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'project': ['Kernel'], + 'public': True, + 'purl': [], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '123', + 'git', + 'https://osv-test/repo/url', + 'kernel', + 'linux', + 'linux-123', + 'osv-test/repo/url', + 'repo', + 'url'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:LINUX-123.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(2021, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_maven.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_maven.txt new file mode 100644 index 00000000000..38df7620556 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_maven.txt @@ -0,0 +1,100 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '0.7.0-incubating', + '0.8.0', + '0.9.0', + '1.0', + '1.1', + '2.0', + '2.1', + '2.2', + '2.3', + '2.4'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Maven', + 'name': 'org.apache.any23:apache-any23', + 'purl': 'pkg:maven/org.apache.any23/apache-any23'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '2.5'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '0.7.0-incubating', + '0.8.0', + '0.9.0', + '1.0', + '1.1', + '2.0', + '2.1', + '2.2', + '2.3', + '2.4']}], + 'aliases': ['CVE-2021-38555'], + 'credits': [], + 'database_specific': { 'cwe_ids': ['CWE-611'], + 'github_reviewed': True, + 'github_reviewed_at': '2021-09-13T19:31:01Z', + 'nvd_published_at': '2021-09-11T11:15:00Z', + 'severity': 'CRITICAL'}, + 'db_id': 'GHSA-838r-hvwh-24h8', + 'details': 'An XML external entity (XXE) injection vulnerability was ' + 'discovered in the Any23 StreamUtils.java file and is known to ' + 'affect Any23 versions < 2.5. XML external entity injection ' + '(also known as XXE) is a web security vulnerability that ' + "allows an attacker to interfere with an application's " + 'processing of XML data. It often allows an attacker to view ' + 'files on the application server filesystem, and to interact ' + 'with any back-end or external systems that the application ' + 'itself can access.', + 'ecosystem': ['Maven'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2021, 9, 24, 13, 10, 5, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['org.apache.any23:apache-any23'], + 'public': True, + 'purl': ['pkg:maven/org.apache.any23/apache-any23'], + 'reference_url_types': { 'https://github.com/apache/any23': 'PACKAGE', + 'https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E': 'WEB', + 'https://nvd.nist.gov/vuln/detail/CVE-2021-38555': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '2021', + '2021-38555', + '24h8', + '38555', + '838r', + '838r-hvwh', + '838r-hvwh-24h8', + 'any23', + 'apache', + 'cve', + 'cve-2021', + 'cve-2021-38555', + 'ghsa', + 'ghsa-838r', + 'ghsa-838r-hvwh', + 'ghsa-838r-hvwh-24h8', + 'hvwh', + 'hvwh-24h8', + 'maven', + 'org', + 'org.apache.any23:apache-any23'], + 'search_tags': ['ghsa-838r-hvwh-24h8', 'org.apache.any23:apache-any23'], + 'semver_fixed_indexes': [], + 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N', + 'type': 'CVSS_V3'}], + 'source': 'source', + 'source_id': 'source:GHSA-838r-hvwh-24h8.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'XML Injection in Any23', + 'timestamp': DatetimeWithNanoseconds(2021, 9, 13, 20, 6, 31, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_new.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_new.txt new file mode 100644 index 00000000000..7c36f197aad --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_new.txt @@ -0,0 +1,67 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-126', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': ['pkg:golang/blah.com/package'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '126', + 'blah', + 'blah.com/package', + 'com', + 'git', + 'go', + 'https://osv-test/repo/url', + 'osv', + 'osv-126', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-126'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-126.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_no_introduced.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_no_introduced.txt new file mode 100644 index 00000000000..821fb369530 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_no_introduced.txt @@ -0,0 +1,67 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-127', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': ['pkg:golang/blah.com/package'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '127', + 'blah', + 'blah.com/package', + 'com', + 'git', + 'go', + 'https://osv-test/repo/url', + 'osv', + 'osv-127', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-127'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-127.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': None, + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt new file mode 100644 index 00000000000..39b24a9dd51 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt @@ -0,0 +1,7 @@ +{ 'details': 'Blah blah blah\nBlah\n', + 'id': 'OSV-131', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt new file mode 100644 index 00000000000..3c2c9cfd004 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt @@ -0,0 +1,65 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'blah.com/package', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-130', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': [], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '130', + 'blah', + 'blah.com/package', + 'com', + 'ecosystem', + 'git', + 'https://osv-test/repo/url', + 'osv', + 'osv-130', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-130'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-130.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_pypi.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_pypi.txt new file mode 100644 index 00000000000..17d13fe02f8 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_pypi.txt @@ -0,0 +1,143 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '1.14.2'}, + { 'type': 'fixed', + 'value': '1.31.0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}, + { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'PYSEC-123', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'PyPI'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['grpcio'], + 'public': True, + 'purl': ['pkg:pypi/grpcio'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '123', + 'git', + 'grpcio', + 'https://osv-test/repo/url', + 'osv-test/repo/url', + 'pypi', + 'pysec', + 'pysec-123', + 'repo', + 'url'], + 'search_tags': ['grpcio', 'pysec-123'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:PYSEC-123.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/recoverer/recoverer.py b/gcp/workers/recoverer/recoverer.py index 36bba14454c..3ceee794f5d 100644 --- a/gcp/workers/recoverer/recoverer.py +++ b/gcp/workers/recoverer/recoverer.py @@ -19,14 +19,18 @@ import logging import os import sys +import time from google.cloud import ndb from google.cloud import pubsub_v1 import osv +import osv.models +import osv.sources from osv.logs import setup_gcp_logging _FAILED_TASKS_SUBSCRIPTION = 'recovery' +_TASKS_TOPIC = 'tasks' _ndb_client = None @@ -54,6 +58,7 @@ def handle_gcs_retry(message: pubsub_v1.types.PubsubMessage) -> bool: } }) return True + logging.info('gcs_retry: vulnerability: %s', vuln.id) modified = vuln.modified.ToDatetime(datetime.UTC) bucket = osv.gcs.get_osv_bucket() path = os.path.join(osv.gcs.VULN_PB_PATH, vuln.id + '.pb') @@ -80,24 +85,42 @@ def handle_gcs_retry(message: pubsub_v1.types.PubsubMessage) -> bool: def handle_gcs_missing(message: pubsub_v1.types.PubsubMessage) -> bool: """Handle a failed GCS read.""" vuln_id = message.attributes.get('id') + logging.info('gcs_missing: vulnerability: %s', vuln_id) if not vuln_id: logging.error('gcs_missing: message missing id attribute: %s', message) return True - # Re-put the Bug to regenerate the GCS & Datastore entities + with ndb_client().context(): - bug = osv.Bug.get_by_id(vuln_id) - if not bug: - logging.error('gcs_missing: Bug entity not found for %s', vuln_id) - # TODO(michaelkedar): What can we do in this case? + vuln = osv.Vulnerability.get_by_id(vuln_id) + if not vuln: + logging.error('gcs_missing: Vulnerability entity not found for %s', + vuln_id) return True + try: - bug.put() + source, path = osv.sources.parse_source_id(vuln.source_id) + except ValueError: + logging.error('gcs_missing: invalid source_id for %s: %s', vuln_id, + vuln.source_id) return True - except Exception: - logging.exception('gcs_missing: failed to put Bug entity for %s', vuln_id) - return False - # TODO(michaelkedar): We will want to stop using the Bug entity eventually. - # This will need to trigger a reimport of the record from the datasource. + + logging.info('gcs_missing: triggering re-import for %s (%s)', vuln_id, + vuln.source_id) + publisher = pubsub_v1.PublisherClient() + project = os.environ['GOOGLE_CLOUD_PROJECT'] + topic_path = publisher.topic_path(project, _TASKS_TOPIC) + publisher.publish( + topic_path, + data=b'', + type='update', + source=source, + path=path, + original_sha256='', + deleted='false', + skip_hash_check='true', + req_timestamp=str(int(time.time()))) + + return True def handle_gcs_gen_mismatch(message: pubsub_v1.types.PubsubMessage) -> bool: @@ -106,6 +129,7 @@ def handle_gcs_gen_mismatch(message: pubsub_v1.types.PubsubMessage) -> bool: """ vuln_id = message.attributes.get('id') field = message.attributes.get('field') + logging.info('gcs_gen_mismatch: vulnerability: %s, field: %s', vuln_id, field) if not vuln_id or not field: logging.error('gcs_gen_mismatch: message missing id or field attribute: %s', message) diff --git a/gcp/workers/recoverer/recoverer_test.py b/gcp/workers/recoverer/recoverer_test.py index c0c5d5cfa07..fb392bd0dd9 100644 --- a/gcp/workers/recoverer/recoverer_test.py +++ b/gcp/workers/recoverer/recoverer_test.py @@ -15,6 +15,7 @@ import datetime import os import unittest +import unittest.mock from google.cloud import ndb from google.cloud import pubsub_v1 @@ -53,6 +54,11 @@ def setUp(self): import_last_modified=datetime.datetime( 2025, 1, 1, tzinfo=datetime.UTC), ).put() + osv.Vulnerability( + id='TEST-123', + source_id='test:TEST-123.yaml', + modified=datetime.datetime(2025, 1, 1, tzinfo=datetime.UTC), + ).put() return super().setUp() def test_handle_gcs_retry(self): @@ -100,19 +106,19 @@ def test_handle_gcs_retry_invalid_data(self): self.assertEqual(1, len(cm.output)) self.assertIn('failed to decode protobuf', cm.output[0]) - def test_handle_gcs_missing(self): + @unittest.mock.patch('google.cloud.pubsub_v1.PublisherClient') + def test_handle_gcs_missing(self, mock_publisher): """Test standard handle_gcs_missing""" - # Going to pretend this is missing, we'll check the contents don't change. - original_result = osv.gcs.get_by_id_with_generation('TEST-123') - self.assertIsNotNone(original_result) - original_data, original_generation = original_result message = pubsub_v1.types.PubsubMessage(attributes={'id': 'TEST-123'}) self.assertTrue(recoverer.handle_gcs_missing(message)) - new_result = osv.gcs.get_by_id_with_generation('TEST-123') - self.assertIsNotNone(new_result) - new_data, new_generation = new_result - self.assertEqual(original_data, new_data) - self.assertNotEqual(original_generation, new_generation) + + # Check that the update message was published + mock_publisher.return_value.publish.assert_called_once() + call_args = mock_publisher.return_value.publish.call_args + self.assertEqual(call_args.kwargs['type'], 'update') + self.assertEqual(call_args.kwargs['source'], 'test') + self.assertEqual(call_args.kwargs['path'], 'TEST-123.yaml') + self.assertEqual(call_args.kwargs['skip_hash_check'], 'true') def test_handle_gcs_gen_mismatch_aliases(self): """Test handle_gcs_gen_mismatch for aliases.""" diff --git a/gcp/workers/worker/testdata/GSD-123.yaml b/gcp/workers/worker/testdata/GSD-123.yaml new file mode 100644 index 00000000000..ae7ed14ddec --- /dev/null +++ b/gcp/workers/worker/testdata/GSD-123.yaml @@ -0,0 +1,19 @@ +id: GSD-123 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: Kernel + ecosystem: Linux + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/worker/testdata/RESTUpdateTest_update_no_introduced.txt b/gcp/workers/worker/testdata/RESTUpdateTest_update_no_introduced.txt index 2c52b812385..15e5b16f2bb 100644 --- a/gcp/workers/worker/testdata/RESTUpdateTest_update_no_introduced.txt +++ b/gcp/workers/worker/testdata/RESTUpdateTest_update_no_introduced.txt @@ -1,364 +1,192 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '7-10', - '7-10-1', - '7-10-2', - '7-10-3', - '7-10-4', - '7-10-5', - '7-10-6', - '7-10-7', - '7-10-8', - '7-11-0', - '7-11-1', - '7-11-2', - '7-12-0', - '7-12-1', - '7-12-2', - '7-12-3', - '7-13-0', - '7-13-1', - '7-13-2', - '7-14-0', - '7-14-1', - '7-15-0', - '7-15-1', - '7-15-2', - '7-15-3', - '7-15-4', - '7-15-5', - '7-16-0', - '7-16-1', - '7-16-2', - '7-16-3', - '7-16-4', - '7-17-0', - '7-17-1', - '7-18-0', - '7-18-1', - '7-18-2', - '7-19-0', - '7-19-1', - '7-19-2', - '7-19-3', - '7-19-4', - '7-19-5', - '7-19-6', - '7-19-7', - '7-20-0', - '7-20-1', - '7-21-0', - '7-21-1', - '7-21-2', - '7-21-3', - '7-21-4', - '7-21-5', - '7-21-6', - '7-21-7', - '7-22-0', - '7-23-0', - '7-23-1', - '7-24-0', - '7-25-0', - '7-26-0', - '7-27-0', - '7-28-0', - '7-28-1', - '7-29-0', - '7-30-0', - '7-31-0', - '7-32-0', - '7-33-0', - '7-34-0', - '7-35-0', - '7-36-0', - '7-37-0', - '7-37-1', - '7-38-0', - '7-39-0', - '7-40-0', - '7-41-0', - '7-42-0', - '7-42-1', - '7-43-0', - '7-44-0', - '7-45-0', - '7-46-0', - '7-47-0', - '7-47-1', - '7-48-0', - '7-49-0', - '7-49-1', - '7-50-0', - '7-50-1', - '7-50-2', - '7-50-3', - '7-51-0', - '7-52-0', - '7-52-1', - '7-53-0', - '7-53-1', - '7-54-0', - '7-54-1', - '7-55-0', - '7-55-1', - '7-56-0', - '7-56-1', - '7-57-0', - '7-58-0', - '7-59-0', - '7-60-0', - '7-61-0', - '7-61-1', - '7-62-0', - '7-63-0', - '7-64-0', - '7-64-1', - '7-65-0', - '7-65-1', - '7-65-2', - '7-65-3', - '7-66-0', - '7-67-0', - '7-68-0', - '7-69-0', - '7-69-1', - '7-7', - '7-7-1', - '7-7-2', - '7-7-3', - '7-70-0', - '7-71-0', - '7-71-1', - '7-72-0', - '7-73-0', - '7-74-0', - '7-75-0', - '7-76-0', - '7-76-1', - '7-77-0', - '7-78-0', - '7-79-0', - '7-79-1', - '7-8', - '7-8-1', - '7-80-0', - '7-81-0', - '7-82-0', - '7-83-0', - '7-83-1', - '7-84-0', - '7-85-0', - '7-9', - '7-9-1', - '7-9-2', - '7-9-3', - '7-9-4', - '7-9-5', - '7-9-6', - '7-9-7', - '7-9-8'], - 'affected_packages': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, - 'digest': { 'function_hash': '22968065415160735040135778472335782425', - 'length': 58084.0}, - 'id': 'CURL-CVE-2022-32221-9751f04c', - 'signature_type': 'Function', - 'signature_version': 'v1', - 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', - 'target': { 'file': 'lib/setopt.c', - 'function': 'Curl_vsetopt'}}, - { 'deprecated': False, - 'digest': { 'line_hashes': [ '73596727404438881622769716353410783065', - '150108665408450698810391826671290668314', - '264542534956227828232279400943172691231', - '248438938282829223471764231064667949049'], - 'threshold': 0.9}, - 'id': 'CURL-CVE-2022-32221-b7951194', - 'signature_type': 'Line', - 'signature_version': 'v1', - 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', - 'target': { 'file': 'lib/setopt.c'}}]}, - 'ecosystem_specific': None, - 'package': { 'ecosystem': '', - 'name': '', - 'purl': None}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '7.7'}, - { 'type': 'fixed', - 'value': '7.86.0'}], - 'repo_url': '', - 'type': 'SEMVER'}, - { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '546572da0457f37c698c02d0a08d90fdfcbeedec'}, - { 'type': 'fixed', - 'value': 'a64e3e59938abd7d667e4470a18072a24d7e9de9'}], - 'repo_url': 'https://github.com/curl/curl.git', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ '7.85.0', - '7.84.0', - '7.83.1', - '7.83.0', - '7.82.0', - '7.81.0', - '7.80.0', - '7.79.1', - '7.79.0', - '7.78.0', - '7.77.0', - '7.76.1', - '7.76.0', - '7.75.0', - '7.74.0', - '7.73.0', - '7.72.0', - '7.71.1', - '7.71.0', - '7.70.0', - '7.69.1', - '7.69.0', - '7.68.0', - '7.67.0', - '7.66.0', - '7.65.3', - '7.65.2', - '7.65.1', - '7.65.0', - '7.64.1', - '7.64.0', - '7.63.0', - '7.62.0', - '7.61.1', - '7.61.0', - '7.60.0', - '7.59.0', - '7.58.0', - '7.57.0', - '7.56.1', - '7.56.0', - '7.55.1', - '7.55.0', - '7.54.1', - '7.54.0', - '7.53.1', - '7.53.0', - '7.52.1', - '7.52.0', - '7.51.0', - '7.50.3', - '7.50.2', - '7.50.1', - '7.50.0', - '7.49.1', - '7.49.0', - '7.48.0', - '7.47.1', - '7.47.0', - '7.46.0', - '7.45.0', - '7.44.0', - '7.43.0', - '7.42.1', - '7.42.0', - '7.41.0', - '7.40.0', - '7.39.0', - '7.38.0', - '7.37.1', - '7.37.0', - '7.36.0', - '7.35.0', - '7.34.0', - '7.33.0', - '7.32.0', - '7.31.0', - '7.30.0', - '7.29.0', - '7.28.1', - '7.28.0', - '7.27.0', - '7.26.0', - '7.25.0', - '7.24.0', - '7.23.1', - '7.23.0', - '7.22.0', - '7.21.7', - '7.21.6', - '7.21.5', - '7.21.4', - '7.21.3', - '7.21.2', - '7.21.1', - '7.21.0', - '7.20.1', - '7.20.0', - '7.19.7', - '7.19.6', - '7.19.5', - '7.19.4', - '7.19.3', - '7.19.2', - '7.19.1', - '7.19.0', - '7.18.2', - '7.18.1', - '7.18.0', - '7.17.1', - '7.17.0', - '7.16.4', - '7.16.3', - '7.16.2', - '7.16.1', - '7.16.0', - '7.15.5', - '7.15.4', - '7.15.3', - '7.15.2', - '7.15.1', - '7.15.0', - '7.14.1', - '7.14.0', - '7.13.2', - '7.13.1', - '7.13.0', - '7.12.3', - '7.12.2', - '7.12.1', - '7.12.0', - '7.11.2', - '7.11.1', - '7.11.0', - '7.10.8', - '7.10.7', - '7.10.6', - '7.10.5', - '7.10.4', - '7.10.3', - '7.10.2', - '7.10.1', - '7.10', - '7.9.8', - '7.9.7', - '7.9.6', - '7.9.5', - '7.9.4', - '7.9.3', - '7.9.2', - '7.9.1', - '7.9', - '7.8.1', - '7.8', - '7.7.3', - '7.7.2', - '7.7.1', - '7.7']}], +{ 'affected': [ { 'database_specific': { 'source': 'http://localhost:8000/CURL-CVE-2022-32221.json', + 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'function_hash': '22968065415160735040135778472335782425', + 'length': 58084.0}, + 'id': 'CURL-CVE-2022-32221-9751f04c', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', + 'target': { 'file': 'lib/setopt.c', + 'function': 'Curl_vsetopt'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '73596727404438881622769716353410783065', + '150108665408450698810391826671290668314', + '264542534956227828232279400943172691231', + '248438938282829223471764231064667949049'], + 'threshold': 0.9}, + 'id': 'CURL-CVE-2022-32221-b7951194', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', + 'target': { 'file': 'lib/setopt.c'}}]}, + 'ranges': [ { 'events': [ {'introduced': '7.7'}, + {'fixed': '7.86.0'}], + 'type': 'SEMVER'}, + { 'events': [ { 'introduced': '546572da0457f37c698c02d0a08d90fdfcbeedec'}, + { 'fixed': 'a64e3e59938abd7d667e4470a18072a24d7e9de9'}], + 'repo': 'https://github.com/curl/curl.git', + 'type': 'GIT'}], + 'versions': [ '7.85.0', + '7.84.0', + '7.83.1', + '7.83.0', + '7.82.0', + '7.81.0', + '7.80.0', + '7.79.1', + '7.79.0', + '7.78.0', + '7.77.0', + '7.76.1', + '7.76.0', + '7.75.0', + '7.74.0', + '7.73.0', + '7.72.0', + '7.71.1', + '7.71.0', + '7.70.0', + '7.69.1', + '7.69.0', + '7.68.0', + '7.67.0', + '7.66.0', + '7.65.3', + '7.65.2', + '7.65.1', + '7.65.0', + '7.64.1', + '7.64.0', + '7.63.0', + '7.62.0', + '7.61.1', + '7.61.0', + '7.60.0', + '7.59.0', + '7.58.0', + '7.57.0', + '7.56.1', + '7.56.0', + '7.55.1', + '7.55.0', + '7.54.1', + '7.54.0', + '7.53.1', + '7.53.0', + '7.52.1', + '7.52.0', + '7.51.0', + '7.50.3', + '7.50.2', + '7.50.1', + '7.50.0', + '7.49.1', + '7.49.0', + '7.48.0', + '7.47.1', + '7.47.0', + '7.46.0', + '7.45.0', + '7.44.0', + '7.43.0', + '7.42.1', + '7.42.0', + '7.41.0', + '7.40.0', + '7.39.0', + '7.38.0', + '7.37.1', + '7.37.0', + '7.36.0', + '7.35.0', + '7.34.0', + '7.33.0', + '7.32.0', + '7.31.0', + '7.30.0', + '7.29.0', + '7.28.1', + '7.28.0', + '7.27.0', + '7.26.0', + '7.25.0', + '7.24.0', + '7.23.1', + '7.23.0', + '7.22.0', + '7.21.7', + '7.21.6', + '7.21.5', + '7.21.4', + '7.21.3', + '7.21.2', + '7.21.1', + '7.21.0', + '7.20.1', + '7.20.0', + '7.19.7', + '7.19.6', + '7.19.5', + '7.19.4', + '7.19.3', + '7.19.2', + '7.19.1', + '7.19.0', + '7.18.2', + '7.18.1', + '7.18.0', + '7.17.1', + '7.17.0', + '7.16.4', + '7.16.3', + '7.16.2', + '7.16.1', + '7.16.0', + '7.15.5', + '7.15.4', + '7.15.3', + '7.15.2', + '7.15.1', + '7.15.0', + '7.14.1', + '7.14.0', + '7.13.2', + '7.13.1', + '7.13.0', + '7.12.3', + '7.12.2', + '7.12.1', + '7.12.0', + '7.11.2', + '7.11.1', + '7.11.0', + '7.10.8', + '7.10.7', + '7.10.6', + '7.10.5', + '7.10.4', + '7.10.3', + '7.10.2', + '7.10.1', + '7.10', + '7.9.8', + '7.9.7', + '7.9.6', + '7.9.5', + '7.9.4', + '7.9.3', + '7.9.2', + '7.9.1', + '7.9', + '7.8.1', + '7.8', + '7.7.3', + '7.7.2', + '7.7.1', + '7.7']}], 'aliases': ['CVE-2022-32221'], - 'credits': [ {'contact': [], 'name': 'Robby Simpson', 'type': 'FINDER'}, - { 'contact': [], - 'name': 'Daniel Stenberg', + 'credits': [ {'name': 'Robby Simpson', 'type': 'FINDER'}, + { 'name': 'Daniel Stenberg', 'type': 'REMEDIATION_DEVELOPER'}], 'database_specific': { 'CWE': { 'desc': 'Expected Behavior Violation', 'id': 'CWE-440'}, @@ -369,7 +197,6 @@ 'package': 'curl', 'severity': 'Medium', 'www': 'https://curl.se/docs/CVE-2022-32221.html'}, - 'db_id': 'CURL-CVE-2022-32221', 'details': 'When doing HTTP(S) transfers, libcurl might erroneously use ' 'the read callback\n' '(`CURLOPT_READFUNCTION`) to ask for data to send, even when ' @@ -387,41 +214,8 @@ 'The problem exists in the logic for a reused handle when it is ' 'changed from a\n' 'PUT to a POST.', - 'ecosystem': ['GIT'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2023, 5, 10, 0, 37, 6, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': [], - 'public': True, - 'purl': [], - 'reference_url_types': {}, - 'regressed': '', - 'related': [], - 'search_indices': [ '2022', - '2022-32221', - '32221', - 'curl', - 'curl-cve', - 'curl-cve-2022', - 'curl-cve-2022-32221', - 'curl.git', - 'cve', - 'cve-2022', - 'cve-2022-32221', - 'git', - 'github.com/curl/curl.git', - 'https://github.com/curl/curl.git'], - 'search_tags': ['curl-cve-2022-32221'], - 'semver_fixed_indexes': ['00000007.00000086.00000000-zzzzzzzzzzzzzzzz'], - 'severities': [], - 'source': 'source', - 'source_id': 'source:CURL-CVE-2022-32221.json', - 'source_of_truth': 1, - 'status': 1, - 'summary': 'POST following PUT confusion', - 'timestamp': DatetimeWithNanoseconds(2022, 10, 26, 8, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'CURL-CVE-2022-32221', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2022-10-26T08:00:00Z', + 'schema_version': '1.7.3', + 'summary': 'POST following PUT confusion'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_last_affected_git.txt b/gcp/workers/worker/testdata/UpdateTest_last_affected_git.txt index f3b59017be9..f528ee84c41 100644 --- a/gcp/workers/worker/testdata/UpdateTest_last_affected_git.txt +++ b/gcp/workers/worker/testdata/UpdateTest_last_affected_git.txt @@ -1,66 +1,12 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': ['0-1-1', '0-2'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': '', - 'name': '', - 'purl': None}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'last_affected', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': ['v0.1.1', 'v0.2']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-TEST-last-affected-01', +{ 'affected': [ { 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'last_affected': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': ['v0.1.1', 'v0.2']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': False, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': [], - 'public': True, - 'purl': [], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '01', - 'affected', - 'affected-01', - 'git', - 'https://osv-test/repo/url', - 'last', - 'last-affected', - 'last-affected-01', - 'osv', - 'osv-test', - 'osv-test-last', - 'osv-test-last-affected', - 'osv-test-last-affected-01', - 'osv-test/repo/url', - 'repo', - 'test', - 'test-last', - 'test-last-affected', - 'test-last-affected-01', - 'url'], - 'search_tags': ['osv-test-last-affected-01'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-TEST-last-affected-01.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-TEST-last-affected-01', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_normalized_pypi.txt b/gcp/workers/worker/testdata/UpdateTest_normalized_pypi.txt index db898e1515c..f0dd9538315 100644 --- a/gcp/workers/worker/testdata/UpdateTest_normalized_pypi.txt +++ b/gcp/workers/worker/testdata/UpdateTest_normalized_pypi.txt @@ -1,63 +1,17 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'PyPI', - 'name': 'scrapy', - 'purl': 'pkg:pypi/scrapy'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '1.14.2'}, - { 'type': 'fixed', - 'value': '1.31.0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}, - { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': []}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'PYSEC-456', +{ 'affected': [ { 'package': { 'ecosystem': 'PyPI', + 'name': 'scrapy', + 'purl': 'pkg:pypi/scrapy'}, + 'ranges': [ { 'events': [ { 'introduced': '1.14.2'}, + {'fixed': '1.31.0'}], + 'type': 'ECOSYSTEM'}, + { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}]}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'PyPI'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['scrapy'], - 'public': True, - 'purl': ['pkg:pypi/scrapy'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '456', - 'git', - 'https://osv-test/repo/url', - 'osv-test/repo/url', - 'pypi', - 'pysec', - 'pysec-456', - 'repo', - 'scrapy', - 'url'], - 'search_tags': ['pysec-456', 'scrapy'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:PYSEC-456.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability in an unnormalized package', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'PYSEC-456', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability in an unnormalized package'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt b/gcp/workers/worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt index d97673f2dc1..dee3a939577 100644 --- a/gcp/workers/worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt +++ b/gcp/workers/worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt @@ -1 +1 @@ -[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-456", "summary": "A vulnerability in an unnormalized package", "details": "Blah blah blah\\nBlah\\n", "modified": "2022-10-07T18:59:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "scrapy", "ecosystem": "PyPI"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": []}]}')] \ No newline at end of file +[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-456", "summary": "A vulnerability in an unnormalized package", "details": "Blah blah blah\\nBlah\\n", "modified": "3000-01-01T00:00:00Z", "published": "3000-01-01T00:00:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "scrapy", "ecosystem": "PyPI", "purl": "pkg:pypi/scrapy"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": []}], "schema_version": "1.7.3"}')] \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_pypi_pubsub_calls.txt b/gcp/workers/worker/testdata/UpdateTest_pypi_pubsub_calls.txt index 1180b274143..32a1b96792f 100644 --- a/gcp/workers/worker/testdata/UpdateTest_pypi_pubsub_calls.txt +++ b/gcp/workers/worker/testdata/UpdateTest_pypi_pubsub_calls.txt @@ -1 +1 @@ -[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-123", "summary": "A vulnerability", "details": "Blah blah blah\\nBlah\\n", "modified": "3000-01-01T00:00:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "grpcio", "ecosystem": "PyPI"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": ["1.14.2", "1.15.0", "1.15.0rc1", "1.16.0", "1.16.0rc1", "1.16.1", "1.17.0", "1.17.1", "1.18.0", "1.19.0", "1.20.0", "1.20.0rc1", "1.20.0rc2", "1.20.0rc3", "1.20.1", "1.21.0rc1", "1.21.1", "1.21.1rc1", "1.22.0", "1.22.0rc1", "1.22.1", "1.23.0", "1.23.0rc1", "1.23.1", "1.24.0", "1.24.0rc1", "1.24.1", "1.24.3", "1.25.0", "1.25.0rc1", "1.26.0", "1.26.0rc1", "1.27.0rc1", "1.27.0rc2", "1.27.1", "1.27.2", "1.28.0rc1", "1.28.0rc2", "1.28.1", "1.29.0", "1.30.0"]}]}')] \ No newline at end of file +[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-123", "summary": "A vulnerability", "details": "Blah blah blah\\nBlah\\n", "modified": "3000-01-01T00:00:00Z", "published": "3000-01-01T00:00:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "grpcio", "ecosystem": "PyPI", "purl": "pkg:pypi/grpcio"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": ["1.14.2", "1.15.0", "1.15.0rc1", "1.16.0", "1.16.0rc1", "1.16.1", "1.17.0", "1.17.1", "1.18.0", "1.19.0", "1.20.0", "1.20.0rc1", "1.20.0rc2", "1.20.0rc3", "1.20.1", "1.21.0rc1", "1.21.1", "1.21.1rc1", "1.22.0", "1.22.0rc1", "1.22.1", "1.23.0", "1.23.0rc1", "1.23.1", "1.24.0", "1.24.0rc1", "1.24.1", "1.24.3", "1.25.0", "1.25.0rc1", "1.26.0", "1.26.0rc1", "1.27.0rc1", "1.27.0rc2", "1.27.1", "1.27.2", "1.28.0rc1", "1.28.0rc2", "1.28.1", "1.29.0", "1.30.0"]}], "schema_version": "1.7.3"}')] \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_ubuntu_severity_type.txt b/gcp/workers/worker/testdata/UpdateTest_ubuntu_severity_type.txt index 07664040628..a79a031c48b 100644 --- a/gcp/workers/worker/testdata/UpdateTest_ubuntu_severity_type.txt +++ b/gcp/workers/worker/testdata/UpdateTest_ubuntu_severity_type.txt @@ -1,380 +1,189 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '3.11.0-12.19', - '3.12.0-1.3', - '3.12.0-2.5', - '3.12.0-2.7', - '3.12.0-3.8', - '3.12.0-3.9', - '3.12.0-4.10', - '3.12.0-4.12', - '3.12.0-5.13', - '3.12.0-7.15', - '3.13.0-1.16', - '3.13.0-10.30', - '3.13.0-100.147', - '3.13.0-101.148', - '3.13.0-103.150', - '3.13.0-105.152', - '3.13.0-106.153', - '3.13.0-107.154', - '3.13.0-108.155', - '3.13.0-109.156', - '3.13.0-11.31', - '3.13.0-110.157', - '3.13.0-111.158', - '3.13.0-112.159', - '3.13.0-113.160', - '3.13.0-115.162', - '3.13.0-116.163', - '3.13.0-117.164', - '3.13.0-119.166', - '3.13.0-12.32', - '3.13.0-121.170', - '3.13.0-123.172', - '3.13.0-125.174', - '3.13.0-126.175', - '3.13.0-128.177', - '3.13.0-129.178', - '3.13.0-13.33', - '3.13.0-132.181', - '3.13.0-133.182', - '3.13.0-135.184', - '3.13.0-137.186', - '3.13.0-139.188', - '3.13.0-14.34', - '3.13.0-141.190', - '3.13.0-142.191', - '3.13.0-143.192', - '3.13.0-144.193', - '3.13.0-145.194', - '3.13.0-147.196', - '3.13.0-149.199', - '3.13.0-15.35', - '3.13.0-151.201', - '3.13.0-153.203', - '3.13.0-155.205', - '3.13.0-156.206', - '3.13.0-157.207', - '3.13.0-158.208', - '3.13.0-16.36', - '3.13.0-160.210', - '3.13.0-161.211', - '3.13.0-162.212', - '3.13.0-163.213', - '3.13.0-164.214', - '3.13.0-165.215', - '3.13.0-166.216', - '3.13.0-167.217', - '3.13.0-168.218', - '3.13.0-169.219', - '3.13.0-17.37', - '3.13.0-170.220', - '3.13.0-173.224', - '3.13.0-174.225', - '3.13.0-175.226', - '3.13.0-176.227', - '3.13.0-18.38', - '3.13.0-180.231', - '3.13.0-181.232', - '3.13.0-182.233', - '3.13.0-183.234', - '3.13.0-184.235', - '3.13.0-185.236', - '3.13.0-186.237', - '3.13.0-187.238', - '3.13.0-188.239', - '3.13.0-189.240', - '3.13.0-19.39', - '3.13.0-19.40', - '3.13.0-190.241', - '3.13.0-191.242', - '3.13.0-192.243', - '3.13.0-193.244', - '3.13.0-194.245', - '3.13.0-195.246', - '3.13.0-196.247', - '3.13.0-197.248', - '3.13.0-198.249', - '3.13.0-199.250', - '3.13.0-2.17', - '3.13.0-20.42', - '3.13.0-200.251', - '3.13.0-201.252', - '3.13.0-202.253', - '3.13.0-203.254', - '3.13.0-204.255', - '3.13.0-205.256', - '3.13.0-206.257', - '3.13.0-21.43', - '3.13.0-22.44', - '3.13.0-23.45', - '3.13.0-24.46', - '3.13.0-24.47', - '3.13.0-27.50', - '3.13.0-29.53', - '3.13.0-3.18', - '3.13.0-30.54', - '3.13.0-30.55', - '3.13.0-32.57', - '3.13.0-33.58', - '3.13.0-34.60', - '3.13.0-35.62', - '3.13.0-36.63', - '3.13.0-37.64', - '3.13.0-39.66', - '3.13.0-4.19', - '3.13.0-40.69', - '3.13.0-41.70', - '3.13.0-43.72', - '3.13.0-44.73', - '3.13.0-45.74', - '3.13.0-46.75', - '3.13.0-46.76', - '3.13.0-46.77', - '3.13.0-46.79', - '3.13.0-48.80', - '3.13.0-49.81', - '3.13.0-49.83', - '3.13.0-5.20', - '3.13.0-51.84', - '3.13.0-52.85', - '3.13.0-52.86', - '3.13.0-53.88', - '3.13.0-53.89', - '3.13.0-54.91', - '3.13.0-55.92', - '3.13.0-55.94', - '3.13.0-57.95', - '3.13.0-58.97', - '3.13.0-59.98', - '3.13.0-6.23', - '3.13.0-61.100', - '3.13.0-62.102', - '3.13.0-63.103', - '3.13.0-65.105', - '3.13.0-65.106', - '3.13.0-66.108', - '3.13.0-67.110', - '3.13.0-68.111', - '3.13.0-7.25', - '3.13.0-7.26', - '3.13.0-70.113', - '3.13.0-71.114', - '3.13.0-73.116', - '3.13.0-74.118', - '3.13.0-76.120', - '3.13.0-77.121', - '3.13.0-79.123', - '3.13.0-8.27', - '3.13.0-8.28', - '3.13.0-83.127', - '3.13.0-85.129', - '3.13.0-86.130', - '3.13.0-86.131', - '3.13.0-87.133', - '3.13.0-88.135', - '3.13.0-91.138', - '3.13.0-92.139', - '3.13.0-93.140', - '3.13.0-95.142', - '3.13.0-96.143', - '3.13.0-98.145'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Ubuntu:Pro:14.04:LTS', - 'name': 'linux', - 'purl': 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '3.11.0-12.19', - '3.12.0-1.3', - '3.12.0-2.5', - '3.12.0-2.7', - '3.12.0-3.8', - '3.12.0-3.9', - '3.12.0-4.10', - '3.12.0-4.12', - '3.12.0-5.13', - '3.12.0-7.15', - '3.13.0-1.16', - '3.13.0-2.17', - '3.13.0-3.18', - '3.13.0-4.19', - '3.13.0-5.20', - '3.13.0-6.23', - '3.13.0-7.25', - '3.13.0-7.26', - '3.13.0-8.27', - '3.13.0-8.28', - '3.13.0-10.30', - '3.13.0-11.31', - '3.13.0-12.32', - '3.13.0-13.33', - '3.13.0-14.34', - '3.13.0-15.35', - '3.13.0-16.36', - '3.13.0-17.37', - '3.13.0-18.38', - '3.13.0-19.39', - '3.13.0-19.40', - '3.13.0-20.42', - '3.13.0-21.43', - '3.13.0-22.44', - '3.13.0-23.45', - '3.13.0-24.46', - '3.13.0-24.47', - '3.13.0-27.50', - '3.13.0-29.53', - '3.13.0-30.54', - '3.13.0-30.55', - '3.13.0-32.57', - '3.13.0-33.58', - '3.13.0-34.60', - '3.13.0-35.62', - '3.13.0-36.63', - '3.13.0-37.64', - '3.13.0-39.66', - '3.13.0-40.69', - '3.13.0-41.70', - '3.13.0-43.72', - '3.13.0-44.73', - '3.13.0-45.74', - '3.13.0-46.75', - '3.13.0-46.76', - '3.13.0-46.77', - '3.13.0-46.79', - '3.13.0-48.80', - '3.13.0-49.81', - '3.13.0-49.83', - '3.13.0-51.84', - '3.13.0-52.85', - '3.13.0-52.86', - '3.13.0-53.88', - '3.13.0-53.89', - '3.13.0-54.91', - '3.13.0-55.92', - '3.13.0-55.94', - '3.13.0-57.95', - '3.13.0-58.97', - '3.13.0-59.98', - '3.13.0-61.100', - '3.13.0-62.102', - '3.13.0-63.103', - '3.13.0-65.105', - '3.13.0-65.106', - '3.13.0-66.108', - '3.13.0-67.110', - '3.13.0-68.111', - '3.13.0-70.113', - '3.13.0-71.114', - '3.13.0-73.116', - '3.13.0-74.118', - '3.13.0-76.120', - '3.13.0-77.121', - '3.13.0-79.123', - '3.13.0-83.127', - '3.13.0-85.129', - '3.13.0-86.130', - '3.13.0-86.131', - '3.13.0-87.133', - '3.13.0-88.135', - '3.13.0-91.138', - '3.13.0-92.139', - '3.13.0-93.140', - '3.13.0-95.142', - '3.13.0-96.143', - '3.13.0-98.145', - '3.13.0-100.147', - '3.13.0-101.148', - '3.13.0-103.150', - '3.13.0-105.152', - '3.13.0-106.153', - '3.13.0-107.154', - '3.13.0-108.155', - '3.13.0-109.156', - '3.13.0-110.157', - '3.13.0-111.158', - '3.13.0-112.159', - '3.13.0-113.160', - '3.13.0-115.162', - '3.13.0-116.163', - '3.13.0-117.164', - '3.13.0-119.166', - '3.13.0-121.170', - '3.13.0-123.172', - '3.13.0-125.174', - '3.13.0-126.175', - '3.13.0-128.177', - '3.13.0-129.178', - '3.13.0-132.181', - '3.13.0-133.182', - '3.13.0-135.184', - '3.13.0-137.186', - '3.13.0-139.188', - '3.13.0-141.190', - '3.13.0-142.191', - '3.13.0-143.192', - '3.13.0-144.193', - '3.13.0-145.194', - '3.13.0-147.196', - '3.13.0-149.199', - '3.13.0-151.201', - '3.13.0-153.203', - '3.13.0-155.205', - '3.13.0-156.206', - '3.13.0-157.207', - '3.13.0-158.208', - '3.13.0-160.210', - '3.13.0-161.211', - '3.13.0-162.212', - '3.13.0-163.213', - '3.13.0-164.214', - '3.13.0-165.215', - '3.13.0-166.216', - '3.13.0-167.217', - '3.13.0-168.218', - '3.13.0-169.219', - '3.13.0-170.220', - '3.13.0-173.224', - '3.13.0-174.225', - '3.13.0-175.226', - '3.13.0-176.227', - '3.13.0-180.231', - '3.13.0-181.232', - '3.13.0-182.233', - '3.13.0-183.234', - '3.13.0-184.235', - '3.13.0-185.236', - '3.13.0-186.237', - '3.13.0-187.238', - '3.13.0-188.239', - '3.13.0-189.240', - '3.13.0-190.241', - '3.13.0-191.242', - '3.13.0-192.243', - '3.13.0-193.244', - '3.13.0-194.245', - '3.13.0-195.246', - '3.13.0-196.247', - '3.13.0-197.248', - '3.13.0-198.249', - '3.13.0-199.250', - '3.13.0-200.251', - '3.13.0-201.252', - '3.13.0-202.253', - '3.13.0-203.254', - '3.13.0-204.255', - '3.13.0-205.256', - '3.13.0-206.257']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'UBUNTU-CVE-2025-38094', +{ 'affected': [ { 'ecosystem_specific': {}, + 'package': { 'ecosystem': 'Ubuntu:Pro:14.04:LTS', + 'name': 'linux', + 'purl': 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'}, + 'ranges': [ { 'events': [{'introduced': '0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '3.11.0-12.19', + '3.12.0-1.3', + '3.12.0-2.5', + '3.12.0-2.7', + '3.12.0-3.8', + '3.12.0-3.9', + '3.12.0-4.10', + '3.12.0-4.12', + '3.12.0-5.13', + '3.12.0-7.15', + '3.13.0-1.16', + '3.13.0-2.17', + '3.13.0-3.18', + '3.13.0-4.19', + '3.13.0-5.20', + '3.13.0-6.23', + '3.13.0-7.25', + '3.13.0-7.26', + '3.13.0-8.27', + '3.13.0-8.28', + '3.13.0-10.30', + '3.13.0-11.31', + '3.13.0-12.32', + '3.13.0-13.33', + '3.13.0-14.34', + '3.13.0-15.35', + '3.13.0-16.36', + '3.13.0-17.37', + '3.13.0-18.38', + '3.13.0-19.39', + '3.13.0-19.40', + '3.13.0-20.42', + '3.13.0-21.43', + '3.13.0-22.44', + '3.13.0-23.45', + '3.13.0-24.46', + '3.13.0-24.47', + '3.13.0-27.50', + '3.13.0-29.53', + '3.13.0-30.54', + '3.13.0-30.55', + '3.13.0-32.57', + '3.13.0-33.58', + '3.13.0-34.60', + '3.13.0-35.62', + '3.13.0-36.63', + '3.13.0-37.64', + '3.13.0-39.66', + '3.13.0-40.69', + '3.13.0-41.70', + '3.13.0-43.72', + '3.13.0-44.73', + '3.13.0-45.74', + '3.13.0-46.75', + '3.13.0-46.76', + '3.13.0-46.77', + '3.13.0-46.79', + '3.13.0-48.80', + '3.13.0-49.81', + '3.13.0-49.83', + '3.13.0-51.84', + '3.13.0-52.85', + '3.13.0-52.86', + '3.13.0-53.88', + '3.13.0-53.89', + '3.13.0-54.91', + '3.13.0-55.92', + '3.13.0-55.94', + '3.13.0-57.95', + '3.13.0-58.97', + '3.13.0-59.98', + '3.13.0-61.100', + '3.13.0-62.102', + '3.13.0-63.103', + '3.13.0-65.105', + '3.13.0-65.106', + '3.13.0-66.108', + '3.13.0-67.110', + '3.13.0-68.111', + '3.13.0-70.113', + '3.13.0-71.114', + '3.13.0-73.116', + '3.13.0-74.118', + '3.13.0-76.120', + '3.13.0-77.121', + '3.13.0-79.123', + '3.13.0-83.127', + '3.13.0-85.129', + '3.13.0-86.130', + '3.13.0-86.131', + '3.13.0-87.133', + '3.13.0-88.135', + '3.13.0-91.138', + '3.13.0-92.139', + '3.13.0-93.140', + '3.13.0-95.142', + '3.13.0-96.143', + '3.13.0-98.145', + '3.13.0-100.147', + '3.13.0-101.148', + '3.13.0-103.150', + '3.13.0-105.152', + '3.13.0-106.153', + '3.13.0-107.154', + '3.13.0-108.155', + '3.13.0-109.156', + '3.13.0-110.157', + '3.13.0-111.158', + '3.13.0-112.159', + '3.13.0-113.160', + '3.13.0-115.162', + '3.13.0-116.163', + '3.13.0-117.164', + '3.13.0-119.166', + '3.13.0-121.170', + '3.13.0-123.172', + '3.13.0-125.174', + '3.13.0-126.175', + '3.13.0-128.177', + '3.13.0-129.178', + '3.13.0-132.181', + '3.13.0-133.182', + '3.13.0-135.184', + '3.13.0-137.186', + '3.13.0-139.188', + '3.13.0-141.190', + '3.13.0-142.191', + '3.13.0-143.192', + '3.13.0-144.193', + '3.13.0-145.194', + '3.13.0-147.196', + '3.13.0-149.199', + '3.13.0-151.201', + '3.13.0-153.203', + '3.13.0-155.205', + '3.13.0-156.206', + '3.13.0-157.207', + '3.13.0-158.208', + '3.13.0-160.210', + '3.13.0-161.211', + '3.13.0-162.212', + '3.13.0-163.213', + '3.13.0-164.214', + '3.13.0-165.215', + '3.13.0-166.216', + '3.13.0-167.217', + '3.13.0-168.218', + '3.13.0-169.219', + '3.13.0-170.220', + '3.13.0-173.224', + '3.13.0-174.225', + '3.13.0-175.226', + '3.13.0-176.227', + '3.13.0-180.231', + '3.13.0-181.232', + '3.13.0-182.233', + '3.13.0-183.234', + '3.13.0-184.235', + '3.13.0-185.236', + '3.13.0-186.237', + '3.13.0-187.238', + '3.13.0-188.239', + '3.13.0-189.240', + '3.13.0-190.241', + '3.13.0-191.242', + '3.13.0-192.243', + '3.13.0-193.244', + '3.13.0-194.245', + '3.13.0-195.246', + '3.13.0-196.247', + '3.13.0-197.248', + '3.13.0-198.249', + '3.13.0-199.250', + '3.13.0-200.251', + '3.13.0-201.252', + '3.13.0-202.253', + '3.13.0-203.254', + '3.13.0-204.255', + '3.13.0-205.256', + '3.13.0-206.257']}], 'details': 'In the Linux kernel, the following vulnerability has been ' 'resolved: net: cadence: macb: Fix a possible deadlock in ' 'macb_halt_tx. There is a situation where after THALT is set ' @@ -384,54 +193,29 @@ 'noticed on a sama5d4 device that stayed locked for days. Use ' 'retries instead of jiffies so that the timeout really works ' 'and we do not have a deadlock anymore.', - 'ecosystem': ['Ubuntu', 'Ubuntu:14.04', 'Ubuntu:Pro:14.04:LTS'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2025, 7, 4, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': False, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['linux'], - 'public': True, - 'purl': [ 'pkg:deb/ubuntu/linux@3.13.0-206.257', - 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'], - 'reference_url_types': { 'https://git.kernel.org/linus/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f': 'REPORT', - 'https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d': 'REPORT', - 'https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4': 'REPORT', - 'https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48': 'REPORT', - 'https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2': 'REPORT', - 'https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37': 'REPORT', - 'https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7': 'REPORT', - 'https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f': 'REPORT', - 'https://ubuntu.com/security/CVE-2025-38094': 'REPORT', - 'https://www.cve.org/CVERecord?id=CVE-2025-38094': 'REPORT'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '04', - '14', - '2025', - '2025-38094', - '38094', - 'cve', - 'cve-2025', - 'cve-2025-38094', - 'linux', - 'lts', - 'pro', - 'ubuntu', - 'ubuntu-cve', - 'ubuntu-cve-2025', - 'ubuntu-cve-2025-38094', - 'ubuntu:14.04', - 'ubuntu:pro:14.04:lts'], - 'search_tags': ['linux', 'ubuntu-cve-2025-38094'], - 'semver_fixed_indexes': [], - 'severities': [{'score': 'medium', 'type': 'Ubuntu'}], - 'source': 'source', - 'source_id': 'source:UBUNTU-CVE-2025-38094.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': '', - 'timestamp': DatetimeWithNanoseconds(2025, 7, 4, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': ['CVE-2025-38094'], - 'withdrawn': None} \ No newline at end of file + 'id': 'UBUNTU-CVE-2025-38094', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2025-07-04T00:00:00Z', + 'references': [ { 'type': 'REPORT', + 'url': 'https://ubuntu.com/security/CVE-2025-38094'}, + { 'type': 'REPORT', + 'url': 'https://www.cve.org/CVERecord?id=CVE-2025-38094'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/linus/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f'}], + 'schema_version': '1.7.3', + 'severity': [{'score': 'medium', 'type': 'Ubuntu'}], + 'upstream': ['CVE-2025-38094']} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update.txt b/gcp/workers/worker/testdata/UpdateTest_update.txt index 654da618d93..11f21ecb72f 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update.txt @@ -1,70 +1,23 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Go', - 'name': 'blah.com/package', - 'purl': 'pkg:golang/blah.com/package'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, - { 'type': 'introduced', - 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, - { 'type': 'fixed', - 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1']}], - 'aliases': [], - 'credits': [ { 'contact': ['mailto:foo@bar.com'], - 'name': 'Foo bar', - 'type': None}], +{ 'affected': [ { 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'introduced': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'fixed': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'credits': [{'contact': ['mailto:foo@bar.com'], 'name': 'Foo bar'}], 'database_specific': {'specific': 1337.0}, - 'db_id': 'OSV-123', 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'Go'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['blah.com/package'], - 'public': True, - 'purl': ['pkg:golang/blah.com/package'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '123', - 'blah', - 'blah.com/package', - 'com', - 'git', - 'go', - 'https://osv-test/repo/url', - 'osv', - 'osv-123', - 'osv-test/repo/url', - 'package', - 'repo', - 'url'], - 'search_tags': ['blah.com/package', 'osv-123'], - 'semver_fixed_indexes': [], - 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L', - 'type': 'CVSS_V3'}], - 'source': 'source', - 'source_id': 'source:OSV-123.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': None, - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-123', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'severity': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L', + 'type': 'CVSS_V3'}], + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_alpine.txt b/gcp/workers/worker/testdata/UpdateTest_update_alpine.txt index f1001d855f0..bc29cb45861 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_alpine.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_alpine.txt @@ -1,689 +1,510 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.15-r0', - '10.4.17-r0', - '10.4.17-r1', - '10.4.18-r0', - '10.4.19-r0', - '10.4.21-r0', - '10.4.22-r0', - '10.4.24-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.10-r0', - '10.5.11-r0', - '10.5.11-r1', - '10.5.12-r0', - '10.5.13-r0', - '10.5.15-r0', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '10.6.3-r0', - '10.6.4-r0', - '10.6.4-r1', - '10.6.4-r2', - '10.6.7-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.12', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.4.25-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.15-r0', - '10.4.17-r0', - '10.4.17-r1', - '10.4.18-r0', - '10.4.19-r0', - '10.4.21-r0', - '10.4.22-r0', - '10.4.24-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}, - { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.13', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.5.16-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.10-r0', - '10.5.11-r0', - '10.5.12-r0', - '10.5.13-r0', - '10.5.15-r0', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}, - { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.14', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.5.16-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.11-r0', - '10.5.12-r0', - '10.5.13-r0', - '10.5.15-r0', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}, - { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.15', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.6.8-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.11-r0', - '10.5.11-r1', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '10.6.3-r0', - '10.6.4-r0', - '10.6.4-r1', - '10.6.4-r2', - '10.6.7-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}, - { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.16', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.6.8-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.11-r0', - '10.5.11-r1', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '10.6.3-r0', - '10.6.4-r0', - '10.6.4-r1', - '10.6.4-r2', - '10.6.7-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'CVE-2022-27449', +{ 'affected': [ { 'package': { 'ecosystem': 'Alpine:v3.12', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '10.4.25-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.15-r0', + '10.4.17-r0', + '10.4.17-r1', + '10.4.18-r0', + '10.4.19-r0', + '10.4.21-r0', + '10.4.22-r0', + '10.4.24-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'package': { 'ecosystem': 'Alpine:v3.13', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '10.5.16-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.10-r0', + '10.5.11-r0', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'package': { 'ecosystem': 'Alpine:v3.14', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '10.5.16-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'package': { 'ecosystem': 'Alpine:v3.15', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + {'fixed': '10.6.8-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'package': { 'ecosystem': 'Alpine:v3.16', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + {'fixed': '10.6.8-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}], 'details': 'MariaDB Server v10.9 and below was discovered to contain a ' 'segmentation fault via the component sql/item_func.cc:148.', - 'ecosystem': [ 'Alpine', - 'Alpine:v3.12', - 'Alpine:v3.13', - 'Alpine:v3.14', - 'Alpine:v3.15', - 'Alpine:v3.16'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['mariadb'], - 'public': True, - 'purl': ['pkg:alpine/mariadb'], - 'reference_url_types': { 'https://jira.mariadb.org/browse/MDEV-28089': 'WEB', - 'https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html': 'WEB', - 'https://security.netapp.com/advisory/ntap-20220526-0006/': 'ADVISORY'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '12', - '13', - '14', - '15', - '16', - '2022', - '2022-27449', - '27449', - 'alpine', - 'alpine:v3.12', - 'alpine:v3.13', - 'alpine:v3.14', - 'alpine:v3.15', - 'alpine:v3.16', - 'cve', - 'cve-2022', - 'cve-2022-27449', - 'mariadb', - 'v3'], - 'search_tags': ['cve-2022-27449', 'mariadb'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:CVE-2022-27449.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': '', - 'timestamp': DatetimeWithNanoseconds(2022, 4, 14, 13, 15, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'CVE-2022-27449', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2022-04-14T13:15:00Z', + 'references': [ { 'type': 'EVIDENCE', + 'url': 'https://jira.mariadb.org/browse/MDEV-28089'}, + { 'type': 'REPORT', + 'url': 'https://jira.mariadb.org/browse/MDEV-28089'}, + { 'type': 'FIX', + 'url': 'https://jira.mariadb.org/browse/MDEV-28089'}, + { 'type': 'WEB', + 'url': 'https://jira.mariadb.org/browse/MDEV-28089'}, + { 'type': 'ADVISORY', + 'url': 'https://security.netapp.com/advisory/ntap-20220526-0006/'}, + { 'type': 'ARTICLE', + 'url': 'https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html'}, + { 'type': 'WEB', + 'url': 'https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html'}], + 'schema_version': '1.7.3'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_bad_ecosystem_new.txt b/gcp/workers/worker/testdata/UpdateTest_update_bad_ecosystem_new.txt new file mode 100644 index 00000000000..d5828e36cba --- /dev/null +++ b/gcp/workers/worker/testdata/UpdateTest_update_bad_ecosystem_new.txt @@ -0,0 +1,7 @@ +{ 'details': 'Blah blah blah\nBlah\n', + 'id': 'OSV-129', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_bucket_0.txt b/gcp/workers/worker/testdata/UpdateTest_update_bucket_0.txt index 184148e93f4..17143e52ecd 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_bucket_0.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_bucket_0.txt @@ -1,104 +1,37 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/runc/libcontainer/apparmor', - 'symbols': [ 'ApplyProfile']}, - { 'path': 'github.com/opencontainers/runc/libcontainer/utils', - 'symbols': [ 'CloseExecFrom']}]}, - 'package': { 'ecosystem': 'Go', - 'name': 'github.com/opencontainers/runc', - 'purl': 'pkg:golang/github.com/opencontainers/runc'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '1.0.0-rc8.0.20190930145003-cad42f6e0932'}], - 'repo_url': '', - 'type': 'SEMVER'}], - 'severities': [], - 'versions': []}, - { 'database_specific': None, - 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/selinux/go-selinux', - 'symbols': [ 'readCon', - 'writeCon']}]}, - 'package': { 'ecosystem': 'Go', - 'name': 'github.com/opencontainers/selinux', - 'purl': 'pkg:golang/github.com/opencontainers/selinux'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '1.3.1-0.20190929122143-5215b1806f52'}], - 'repo_url': '', - 'type': 'SEMVER'}], - 'severities': [], - 'versions': []}], +{ 'affected': [ { 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/runc/libcontainer/apparmor', + 'symbols': [ 'ApplyProfile']}, + { 'path': 'github.com/opencontainers/runc/libcontainer/utils', + 'symbols': [ 'CloseExecFrom']}]}, + 'package': { 'ecosystem': 'Go', + 'name': 'github.com/opencontainers/runc', + 'purl': 'pkg:golang/github.com/opencontainers/runc'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '1.0.0-rc8.0.20190930145003-cad42f6e0932'}], + 'type': 'SEMVER'}]}, + { 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/selinux/go-selinux', + 'symbols': [ 'readCon', + 'writeCon']}]}, + 'package': { 'ecosystem': 'Go', + 'name': 'github.com/opencontainers/selinux', + 'purl': 'pkg:golang/github.com/opencontainers/selinux'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '1.3.1-0.20190929122143-5215b1806f52'}], + 'type': 'SEMVER'}]}], 'aliases': ['CVE-2019-16884', 'GHSA-fgv8-vj5c-2ppq'], - 'credits': [{'contact': [], 'name': 'Leopold Schabel', 'type': None}], + 'credits': [{'name': 'Leopold Schabel'}], 'database_specific': {'url': 'https://pkg.go.dev/vuln/GO-2021-0085'}, - 'db_id': 'GO-2021-0085', 'details': 'AppArmor restrictions may be bypassed due to improper ' 'validation of mount targets, allowing a malicious image to ' 'mount volumes over e.g. /proc.', - 'ecosystem': ['Go'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2023, 4, 3, 15, 57, 51, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': [ 'github.com/opencontainers/runc', - 'github.com/opencontainers/selinux'], - 'public': True, - 'purl': [ 'pkg:golang/github.com/opencontainers/runc', - 'pkg:golang/github.com/opencontainers/selinux'], - 'reference_url_types': { 'https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4': 'FIX', - 'https://github.com/opencontainers/runc/issues/2128': 'WEB', - 'https://github.com/opencontainers/runc/pull/2130': 'FIX', - 'https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da': 'FIX'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '0085', - '16884', - '2019', - '2019-16884', - '2021', - '2021-0085', - '2ppq', - 'com', - 'cve', - 'cve-2019', - 'cve-2019-16884', - 'fgv8', - 'fgv8-vj5c', - 'fgv8-vj5c-2ppq', - 'ghsa', - 'ghsa-fgv8', - 'ghsa-fgv8-vj5c', - 'ghsa-fgv8-vj5c-2ppq', - 'github', - 'github.com/opencontainers/runc', - 'github.com/opencontainers/selinux', - 'go', - 'go-2021', - 'go-2021-0085', - 'opencontainers', - 'runc', - 'selinux', - 'vj5c', - 'vj5c-2ppq'], - 'search_tags': [ 'github.com/opencontainers/runc', - 'github.com/opencontainers/selinux', - 'go-2021-0085'], - 'semver_fixed_indexes': [ '00000001.00000000.00000000-1rc8.00000000.120190930145003-cad42f6e0932', - '00000001.00000003.00000001-00000000.120190929122143-5215b1806f52'], - 'severities': [], - 'source': 'source', - 'source_id': 'source:a/b/test.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': '', - 'timestamp': DatetimeWithNanoseconds(2021, 4, 14, 20, 4, 52, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'GO-2021-0085', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-04-14T20:04:52Z', + 'references': [ { 'type': 'FIX', + 'url': 'https://github.com/opencontainers/runc/pull/2130'}, + { 'type': 'FIX', + 'url': 'https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4'}, + { 'type': 'FIX', + 'url': 'https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da'}, + { 'type': 'WEB', + 'url': 'https://github.com/opencontainers/runc/issues/2128'}], + 'schema_version': '1.7.3'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_bucket_2.txt b/gcp/workers/worker/testdata/UpdateTest_update_bucket_2.txt index 9b228142cd0..053d0e49367 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_bucket_2.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_bucket_2.txt @@ -1,63 +1,21 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': ['10', '11'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': { 'severity': 'High', - 'spl': '2021-10-01', - 'type': 'EoP'}, - 'package': { 'ecosystem': 'Android', - 'name': 'Media Framework', - 'purl': None}, - 'ranges': [], - 'severities': [], - 'versions': ['10', '11']}], +{ 'affected': [ { 'ecosystem_specific': { 'severity': 'High', + 'spl': '2021-10-01', + 'type': 'EoP'}, + 'package': { 'ecosystem': 'Android', + 'name': 'Media Framework'}, + 'versions': ['10', '11']}], 'aliases': ['CVE-2021-0483'], - 'credits': [], - 'database_specific': None, - 'db_id': 'ASB-A-153358911', - 'details': '', - 'ecosystem': ['Android'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2021, 10, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': False, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['Media Framework'], - 'public': True, - 'purl': [], - 'reference_url_types': { 'https://android.googlesource.com/platform/frameworks/av/+/084077feb6b8c961adcbe77b2bd76601ca54e534': 'FIX', - 'https://android.googlesource.com/platform/frameworks/av/+/cc2165840d524bb9553f9d73d1904633d20100a2': 'FIX', - 'https://source.android.com/security/bulletin/2021-10-01#2021-10-01-security-patch-level-vulnerability-details': 'ADVISORY'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '0483', - '153358911', - '2021', - '2021-0483', - 'a', - 'a-153358911', - 'android', - 'asb', - 'asb-a', - 'asb-a-153358911', - 'cve', - 'cve-2021', - 'cve-2021-0483', - 'framework', - 'media', - 'media framework'], - 'search_tags': ['asb-a-153358911', 'media framework'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:a/b/android-test.json', - 'source_of_truth': 2, - 'status': 1, + 'id': 'ASB-A-153358911', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-10-01T00:00:00Z', + 'references': [ { 'type': 'ADVISORY', + 'url': 'https://source.android.com/security/bulletin/2021-10-01#2021-10-01-security-patch-level-vulnerability-details'}, + { 'type': 'FIX', + 'url': 'https://android.googlesource.com/platform/frameworks/av/+/084077feb6b8c961adcbe77b2bd76601ca54e534'}, + { 'type': 'FIX', + 'url': 'https://android.googlesource.com/platform/frameworks/av/+/cc2165840d524bb9553f9d73d1904633d20100a2'}], + 'schema_version': '1.7.3', 'summary': 'In multiple methods of AAudioService, there is a possible ' 'use-after-free due to a race condition. This could lead to ' 'local escalation of privilege with User execution privileges ' - 'needed. User interaction is not needed for exploitation.', - 'timestamp': DatetimeWithNanoseconds(2021, 10, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'needed. User interaction is not needed for exploitation.'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_bucket_cve.txt b/gcp/workers/worker/testdata/UpdateTest_update_bucket_cve.txt index 32722079b69..49fafa64d5c 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_bucket_cve.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_bucket_cve.txt @@ -1,106 +1,83 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1-2-1', - '1-2-2', - '1-2-3', - '1-2-4', - '1-2-5', - '1-2-6', - '1-3-0', - '1-3-1'], - 'affected_packages': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, - 'digest': { 'line_hashes': [ '18066036635502801806677364178756254862', - '88369412895184753394283011451803187548', - '50848458948504730426650075084385046530', - '91284993680127737564993618090545145416', - '30779278950355321333621475605602830830', - '122421578121241373365155348152646941523', - '267652210589392654099845994262755826062', - '334808111126213430220547654602188383660', - '234389204524678077984531197469034242690', - '152880517379272209571165325006789878786', - '299871312446227378724863519270618301341', - '157634544376100154879962283397081738110', - '103663099829328578689797223848801574827', - '158563421165358858389893196995983570762', - '315965584007238676040631750953088200664'], - 'threshold': 0.9}, - 'id': 'CVE-2016-15011-929806e0', - 'signature_type': 'Line', - 'signature_version': 'v1', - 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', - 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java'}}, - { 'deprecated': False, - 'digest': { 'line_hashes': [ '6674387965125354881111149989428882853', - '100741820504985357262218153349452233434', - '253366101641995550384755812786879052342', - '245037096886845520996519599411616661529', - '158852189579109359359946013476030639584', - '298614597347537877121532413760030558894', - '180181956682520524395173299138562004562', - '146502839243717526526406585366671557144', - '244996413515733361838850122849344525825', - '166554563875570093109470347687697544350', - '9427977046515615106319032886256396870', - '279044285883194738631442483325879094037', - '295198785562376785392477306514392217432', - '44714085523243422643465698936438435501', - '267608316591780380179772018605253867646', - '182074437577114148436758739432546664545', - '87621961972550109442760282702331746920', - '64897152403082006856773989396486955494', - '184138636401118235309885205539354874180', - '62633257528035095954429323509732904426'], - 'threshold': 0.9}, - 'id': 'CVE-2016-15011-bd561b7b', - 'signature_type': 'Line', - 'signature_version': 'v1', - 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', - 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java'}}, - { 'deprecated': False, - 'digest': { 'function_hash': '259495117689681377355427521574538727644', - 'length': 1591.0}, - 'id': 'CVE-2016-15011-d557e328', - 'signature_type': 'Function', - 'signature_version': 'v1', - 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', - 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java', - 'function': 'DigitalSignatureServiceMetadata'}}, - { 'deprecated': False, - 'digest': { 'function_hash': '249451297539985081987952306682300702892', - 'length': 4302.0}, - 'id': 'CVE-2016-15011-fcf07dd1', - 'signature_type': 'Function', - 'signature_version': 'v1', - 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', - 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java', - 'function': 'checkSignResponse'}}]}, - 'ecosystem_specific': None, - 'package': { 'ecosystem': '', - 'name': '', - 'purl': None}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '001ef99b0c8194468de960d007e2d82dcebc3bca'}, - { 'type': 'fixed', - 'value': 'ec4238349691ec66dd30b416ec6eaab02d722302'}], - 'repo_url': 'https://github.com/e-contract/dssp', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'dssp-1.2.1', - 'dssp-1.2.2', - 'dssp-1.2.3', - 'dssp-1.2.4', - 'dssp-1.2.5', - 'dssp-1.2.6', - 'dssp-1.3.0', - 'dssp-1.3.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'CVE-2016-15011', +{ 'affected': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'line_hashes': [ '18066036635502801806677364178756254862', + '88369412895184753394283011451803187548', + '50848458948504730426650075084385046530', + '91284993680127737564993618090545145416', + '30779278950355321333621475605602830830', + '122421578121241373365155348152646941523', + '267652210589392654099845994262755826062', + '334808111126213430220547654602188383660', + '234389204524678077984531197469034242690', + '152880517379272209571165325006789878786', + '299871312446227378724863519270618301341', + '157634544376100154879962283397081738110', + '103663099829328578689797223848801574827', + '158563421165358858389893196995983570762', + '315965584007238676040631750953088200664'], + 'threshold': 0.9}, + 'id': 'CVE-2016-15011-929806e0', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '6674387965125354881111149989428882853', + '100741820504985357262218153349452233434', + '253366101641995550384755812786879052342', + '245037096886845520996519599411616661529', + '158852189579109359359946013476030639584', + '298614597347537877121532413760030558894', + '180181956682520524395173299138562004562', + '146502839243717526526406585366671557144', + '244996413515733361838850122849344525825', + '166554563875570093109470347687697544350', + '9427977046515615106319032886256396870', + '279044285883194738631442483325879094037', + '295198785562376785392477306514392217432', + '44714085523243422643465698936438435501', + '267608316591780380179772018605253867646', + '182074437577114148436758739432546664545', + '87621961972550109442760282702331746920', + '64897152403082006856773989396486955494', + '184138636401118235309885205539354874180', + '62633257528035095954429323509732904426'], + 'threshold': 0.9}, + 'id': 'CVE-2016-15011-bd561b7b', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java'}}, + { 'deprecated': False, + 'digest': { 'function_hash': '259495117689681377355427521574538727644', + 'length': 1591.0}, + 'id': 'CVE-2016-15011-d557e328', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java', + 'function': 'DigitalSignatureServiceMetadata'}}, + { 'deprecated': False, + 'digest': { 'function_hash': '249451297539985081987952306682300702892', + 'length': 4302.0}, + 'id': 'CVE-2016-15011-fcf07dd1', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java', + 'function': 'checkSignResponse'}}]}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '001ef99b0c8194468de960d007e2d82dcebc3bca'}, + { 'fixed': 'ec4238349691ec66dd30b416ec6eaab02d722302'}], + 'repo': 'https://github.com/e-contract/dssp', + 'type': 'GIT'}], + 'versions': [ 'dssp-1.2.1', + 'dssp-1.2.2', + 'dssp-1.2.3', + 'dssp-1.2.4', + 'dssp-1.2.5', + 'dssp-1.2.6', + 'dssp-1.3.0', + 'dssp-1.3.1']}], 'details': 'A vulnerability classified as problematic was found in ' 'e-Contract dssp up to 1.3.1. Affected by this vulnerability is ' 'the function checkSignResponse of the file ' @@ -111,42 +88,23 @@ 'ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to ' 'upgrade the affected component. The identifier VDB-217549 was ' 'assigned to this vulnerability.', - 'ecosystem': ['GIT'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2025, 7, 1, 21, 44, 41, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': [], - 'public': True, - 'purl': [], - 'reference_url_types': { 'https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302': 'FIX', - 'https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2': 'ADVISORY', - 'https://vuldb.com/?ctiid.217549': 'REPORT', - 'https://vuldb.com/?id.217549': 'REPORT'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '15011', - '2016', - '2016-15011', - 'cve', - 'cve-2016', - 'cve-2016-15011', - 'dssp', - 'e-contract', - 'git', - 'github.com/e-contract/dssp', - 'https://github.com/e-contract/dssp'], - 'search_tags': ['cve-2016-15011'], - 'semver_fixed_indexes': [], - 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', - 'type': 'CVSS_V3'}], - 'source': 'source', - 'source_id': 'source:a/b/CVE-2016-15011.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': '', - 'timestamp': DatetimeWithNanoseconds(2023, 1, 6, 10, 15, 9, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'CVE-2016-15011', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2023-01-06T10:15:09Z', + 'references': [ { 'type': 'ADVISORY', + 'url': 'https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302'}, + { 'type': 'ADVISORY', + 'url': 'https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2'}, + { 'type': 'ADVISORY', + 'url': 'https://vuldb.com/?ctiid.217549'}, + { 'type': 'ADVISORY', + 'url': 'https://vuldb.com/?id.217549'}, + { 'type': 'FIX', + 'url': 'https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302'}, + { 'type': 'REPORT', + 'url': 'https://vuldb.com/?ctiid.217549'}, + { 'type': 'REPORT', + 'url': 'https://vuldb.com/?id.217549'}], + 'schema_version': '1.7.3', + 'severity': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', + 'type': 'CVSS_V3'}]} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_debian.txt b/gcp/workers/worker/testdata/UpdateTest_update_debian.txt index 5aebf710c03..b42b09b1107 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_debian.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_debian.txt @@ -1,30 +1,14 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1.2.1-2.2', - '1.2.1-2.2+wheezy1', - '1.2.1-2.2+wheezy2', - '1.2.1-2.2+wheezy3~bpo60+1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Debian:7', - 'name': 'nginx', - 'purl': 'pkg:deb/debian/nginx?arch=source'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '1.2.1-2.2+wheezy3'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '1.2.1-2.2', - '1.2.1-2.2+wheezy1', - '1.2.1-2.2+wheezy2', - '1.2.1-2.2+wheezy3~bpo60+1']}], +{ 'affected': [ { 'package': { 'ecosystem': 'Debian:7', + 'name': 'nginx', + 'purl': 'pkg:deb/debian/nginx?arch=source'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '1.2.1-2.2+wheezy3'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '1.2.1-2.2', + '1.2.1-2.2+wheezy1', + '1.2.1-2.2+wheezy2', + '1.2.1-2.2+wheezy3~bpo60+1']}], 'aliases': ['CVE-2014-3616'], - 'credits': [], - 'database_specific': None, - 'db_id': 'DSA-3029-1', 'details': '\n' 'Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered ' 'that it was\n' @@ -53,43 +37,10 @@ 'We recommend that you upgrade your nginx packages.\n' '\n' '\n', - 'ecosystem': ['Debian', 'Debian:7'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2014, 9, 20, 8, 18, 7, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['nginx'], - 'public': True, - 'purl': ['pkg:deb/debian/nginx', 'pkg:deb/debian/nginx?arch=source'], - 'reference_url_types': { 'https://www.debian.org/security/2014/dsa-3029': 'ADVISORY'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '1', - '2014', - '2014-3616', - '3029', - '3029-1', - '3616', - '7', - 'cve', - 'cve-2014', - 'cve-2014-3616', - 'debian', - 'debian:7', - 'dsa', - 'dsa-3029', - 'dsa-3029-1', - 'nginx'], - 'search_tags': ['dsa-3029-1', 'nginx'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:DSA-3029-1.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'nginx - security update', - 'timestamp': DatetimeWithNanoseconds(2014, 9, 20, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'DSA-3029-1', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2014-09-20T00:00:00Z', + 'references': [ { 'type': 'ADVISORY', + 'url': 'https://www.debian.org/security/2014/dsa-3029'}], + 'schema_version': '1.7.3', + 'summary': 'nginx - security update'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_last_affected.txt b/gcp/workers/worker/testdata/UpdateTest_update_last_affected.txt index eb8631f7074..545e9381ef5 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_last_affected.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_last_affected.txt @@ -1,129 +1,55 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1.14.2', - '1.15.0', - '1.15.0rc1', - '1.16.0', - '1.16.0rc1', - '1.16.1', - '1.17.0', - '1.17.1', - '1.18.0', - '1.19.0', - '1.20.0', - '1.20.0rc1', - '1.20.0rc2', - '1.20.0rc3', - '1.20.1', - '1.21.0rc1', - '1.21.1', - '1.21.1rc1', - '1.22.0', - '1.22.0rc1', - '1.22.1', - '1.23.0', - '1.23.0rc1', - '1.23.1', - '1.24.0', - '1.24.0rc1', - '1.24.1', - '1.24.3', - '1.25.0', - '1.25.0rc1', - '1.26.0', - '1.26.0rc1', - '1.27.0rc1', - '1.27.0rc2', - '1.27.1', - '1.27.2', - '1.28.0rc1', - '1.28.0rc2', - '1.28.1', - '1.29.0', - '1.30.0', - '1.31.0'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'PyPI', - 'name': 'grpcio', - 'purl': 'pkg:pypi/grpcio'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '1.14.2'}, - { 'type': 'last_affected', - 'value': '1.31.0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '1.14.2', - '1.15.0', - '1.15.0rc1', - '1.16.0', - '1.16.0rc1', - '1.16.1', - '1.17.0', - '1.17.1', - '1.18.0', - '1.19.0', - '1.20.0', - '1.20.0rc1', - '1.20.0rc2', - '1.20.0rc3', - '1.20.1', - '1.21.0rc1', - '1.21.1', - '1.21.1rc1', - '1.22.0', - '1.22.0rc1', - '1.22.1', - '1.23.0', - '1.23.0rc1', - '1.23.1', - '1.24.0', - '1.24.0rc1', - '1.24.1', - '1.24.3', - '1.25.0', - '1.25.0rc1', - '1.26.0', - '1.26.0rc1', - '1.27.0rc1', - '1.27.0rc2', - '1.27.1', - '1.27.2', - '1.28.0rc1', - '1.28.0rc2', - '1.28.1', - '1.29.0', - '1.30.0', - '1.31.0']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'PYSEC-124', +{ 'affected': [ { 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'events': [ { 'introduced': '1.14.2'}, + { 'last_affected': '1.31.0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0', + '1.31.0']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['PyPI'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': False, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['grpcio'], - 'public': True, - 'purl': ['pkg:pypi/grpcio'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': ['124', 'grpcio', 'pypi', 'pysec', 'pysec-124'], - 'search_tags': ['grpcio', 'pysec-124'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:PYSEC-124.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'PYSEC-124', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_limit.txt b/gcp/workers/worker/testdata/UpdateTest_update_limit.txt index dc9a0912254..ded5ae60b02 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_limit.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_limit.txt @@ -1,79 +1,26 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1.13.0', - '1.14.0', - '1.14.0rc1', - '1.14.0rc2', - '1.14.1', - '1.14.2rc1', - 'branch-v0.1.1', - 'v0.1', - 'v0.1.1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'PyPI', - 'name': 'grpcio', - 'purl': 'pkg:pypi/grpcio'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'limit', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}, - { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '1.13.0'}, - { 'type': 'limit', - 'value': '1.14.2'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - '1.13.0', - '1.14.0', - '1.14.0rc1', - '1.14.0rc2', - '1.14.1', - '1.14.2rc1', - 'v0.1', - 'v0.1.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-128', +{ 'affected': [ { 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'limit': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}, + { 'events': [ { 'introduced': '1.13.0'}, + {'limit': '1.14.2'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ 'branch-v0.1.1', + '1.13.0', + '1.14.0', + '1.14.0rc1', + '1.14.0rc2', + '1.14.1', + '1.14.2rc1', + 'v0.1', + 'v0.1.1']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'PyPI'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['grpcio'], - 'public': True, - 'purl': ['pkg:pypi/grpcio'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '128', - 'git', - 'grpcio', - 'https://osv-test/repo/url', - 'osv', - 'osv-128', - 'osv-test/repo/url', - 'pypi', - 'repo', - 'url'], - 'search_tags': ['grpcio', 'osv-128'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-128.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-128', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_linux.txt b/gcp/workers/worker/testdata/UpdateTest_update_linux.txt index 18dff8e75c6..8abe827660b 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_linux.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_linux.txt @@ -1,52 +1,12 @@ -{ 'affected': [], - 'affected_fuzzy': [], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Linux', - 'name': 'Kernel', - 'purl': None}, - 'ranges': [ { 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': []}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'LINUX-123', +{ 'affected': [ { 'package': {'ecosystem': 'Linux', 'name': 'Kernel'}, + 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}]}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT','Linux'], - 'fixed': '', - 'has_affected': False, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'project': ['Kernel'], - 'public': True, - 'purl': [], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '123', - 'git', - 'https://osv-test/repo/url', - 'kernel', - 'linux', - 'linux-123', - 'osv-test/repo/url', - 'repo', - 'url'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:LINUX-123.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(2021, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'GSD-123', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_maven.txt b/gcp/workers/worker/testdata/UpdateTest_update_maven.txt index 38df7620556..b8f92df1d2f 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_maven.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_maven.txt @@ -1,46 +1,25 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '0.7.0-incubating', - '0.8.0', - '0.9.0', - '1.0', - '1.1', - '2.0', - '2.1', - '2.2', - '2.3', - '2.4'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Maven', - 'name': 'org.apache.any23:apache-any23', - 'purl': 'pkg:maven/org.apache.any23/apache-any23'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '2.5'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '0.7.0-incubating', - '0.8.0', - '0.9.0', - '1.0', - '1.1', - '2.0', - '2.1', - '2.2', - '2.3', - '2.4']}], +{ 'affected': [ { 'package': { 'ecosystem': 'Maven', + 'name': 'org.apache.any23:apache-any23', + 'purl': 'pkg:maven/org.apache.any23/apache-any23'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + {'fixed': '2.5'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '0.7.0-incubating', + '0.8.0', + '0.9.0', + '1.0', + '1.1', + '2.0', + '2.1', + '2.2', + '2.3', + '2.4']}], 'aliases': ['CVE-2021-38555'], - 'credits': [], 'database_specific': { 'cwe_ids': ['CWE-611'], 'github_reviewed': True, 'github_reviewed_at': '2021-09-13T19:31:01Z', 'nvd_published_at': '2021-09-11T11:15:00Z', 'severity': 'CRITICAL'}, - 'db_id': 'GHSA-838r-hvwh-24h8', 'details': 'An XML external entity (XXE) injection vulnerability was ' 'discovered in the Any23 StreamUtils.java file and is known to ' 'affect Any23 versions < 2.5. XML external entity injection ' @@ -50,51 +29,16 @@ 'files on the application server filesystem, and to interact ' 'with any back-end or external systems that the application ' 'itself can access.', - 'ecosystem': ['Maven'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2021, 9, 24, 13, 10, 5, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['org.apache.any23:apache-any23'], - 'public': True, - 'purl': ['pkg:maven/org.apache.any23/apache-any23'], - 'reference_url_types': { 'https://github.com/apache/any23': 'PACKAGE', - 'https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E': 'WEB', - 'https://nvd.nist.gov/vuln/detail/CVE-2021-38555': 'ADVISORY'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '2021', - '2021-38555', - '24h8', - '38555', - '838r', - '838r-hvwh', - '838r-hvwh-24h8', - 'any23', - 'apache', - 'cve', - 'cve-2021', - 'cve-2021-38555', - 'ghsa', - 'ghsa-838r', - 'ghsa-838r-hvwh', - 'ghsa-838r-hvwh-24h8', - 'hvwh', - 'hvwh-24h8', - 'maven', - 'org', - 'org.apache.any23:apache-any23'], - 'search_tags': ['ghsa-838r-hvwh-24h8', 'org.apache.any23:apache-any23'], - 'semver_fixed_indexes': [], - 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N', - 'type': 'CVSS_V3'}], - 'source': 'source', - 'source_id': 'source:GHSA-838r-hvwh-24h8.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'XML Injection in Any23', - 'timestamp': DatetimeWithNanoseconds(2021, 9, 13, 20, 6, 31, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'GHSA-838r-hvwh-24h8', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-09-13T20:06:31Z', + 'references': [ { 'type': 'ADVISORY', + 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2021-38555'}, + { 'type': 'PACKAGE', + 'url': 'https://github.com/apache/any23'}, + { 'type': 'WEB', + 'url': 'https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E'}], + 'schema_version': '1.7.3', + 'severity': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N', + 'type': 'CVSS_V3'}], + 'summary': 'XML Injection in Any23'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_new.txt b/gcp/workers/worker/testdata/UpdateTest_update_new.txt index 7c36f197aad..1b333bd0a52 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_new.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_new.txt @@ -1,67 +1,19 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Go', - 'name': 'blah.com/package', - 'purl': 'pkg:golang/blah.com/package'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, - { 'type': 'introduced', - 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, - { 'type': 'fixed', - 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-126', +{ 'affected': [ { 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'introduced': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'fixed': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'Go'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['blah.com/package'], - 'public': True, - 'purl': ['pkg:golang/blah.com/package'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '126', - 'blah', - 'blah.com/package', - 'com', - 'git', - 'go', - 'https://osv-test/repo/url', - 'osv', - 'osv-126', - 'osv-test/repo/url', - 'package', - 'repo', - 'url'], - 'search_tags': ['blah.com/package', 'osv-126'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-126.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-126', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_no_introduced.txt b/gcp/workers/worker/testdata/UpdateTest_update_no_introduced.txt index 821fb369530..9a6219d1cc8 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_no_introduced.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_no_introduced.txt @@ -1,67 +1,19 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1', - 'v0.1.1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Go', - 'name': 'blah.com/package', - 'purl': 'pkg:golang/blah.com/package'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, - { 'type': 'fixed', - 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1', - 'v0.1.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-127', +{ 'affected': [ { 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'fixed': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1', + 'v0.1.1']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'Go'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['blah.com/package'], - 'public': True, - 'purl': ['pkg:golang/blah.com/package'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '127', - 'blah', - 'blah.com/package', - 'com', - 'git', - 'go', - 'https://osv-test/repo/url', - 'osv', - 'osv-127', - 'osv-test/repo/url', - 'package', - 'repo', - 'url'], - 'search_tags': ['blah.com/package', 'osv-127'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-127.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': None, - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-127', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt b/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt new file mode 100644 index 00000000000..39b24a9dd51 --- /dev/null +++ b/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt @@ -0,0 +1,7 @@ +{ 'details': 'Blah blah blah\nBlah\n', + 'id': 'OSV-131', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt b/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt index 3c2c9cfd004..5e0f3a2b915 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt @@ -1,65 +1,18 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': ['0-1-1', '1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'ecosystem', - 'name': 'blah.com/package', - 'purl': None}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, - { 'type': 'introduced', - 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, - { 'type': 'fixed', - 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-130', +{ 'affected': [ { 'package': { 'ecosystem': 'ecosystem', + 'name': 'blah.com/package'}, + 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'introduced': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'fixed': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'ecosystem'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['blah.com/package'], - 'public': True, - 'purl': [], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '130', - 'blah', - 'blah.com/package', - 'com', - 'ecosystem', - 'git', - 'https://osv-test/repo/url', - 'osv', - 'osv-130', - 'osv-test/repo/url', - 'package', - 'repo', - 'url'], - 'search_tags': ['blah.com/package', 'osv-130'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-130.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-130', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_pypi.txt b/gcp/workers/worker/testdata/UpdateTest_update_pypi.txt index 17d13fe02f8..26c2f56db26 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_pypi.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_pypi.txt @@ -1,143 +1,58 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1.14.2', - '1.15.0', - '1.15.0rc1', - '1.16.0', - '1.16.0rc1', - '1.16.1', - '1.17.0', - '1.17.1', - '1.18.0', - '1.19.0', - '1.20.0', - '1.20.0rc1', - '1.20.0rc2', - '1.20.0rc3', - '1.20.1', - '1.21.0rc1', - '1.21.1', - '1.21.1rc1', - '1.22.0', - '1.22.0rc1', - '1.22.1', - '1.23.0', - '1.23.0rc1', - '1.23.1', - '1.24.0', - '1.24.0rc1', - '1.24.1', - '1.24.3', - '1.25.0', - '1.25.0rc1', - '1.26.0', - '1.26.0rc1', - '1.27.0rc1', - '1.27.0rc2', - '1.27.1', - '1.27.2', - '1.28.0rc1', - '1.28.0rc2', - '1.28.1', - '1.29.0', - '1.30.0'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'PyPI', - 'name': 'grpcio', - 'purl': 'pkg:pypi/grpcio'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '1.14.2'}, - { 'type': 'fixed', - 'value': '1.31.0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}, - { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ '1.14.2', - '1.15.0', - '1.15.0rc1', - '1.16.0', - '1.16.0rc1', - '1.16.1', - '1.17.0', - '1.17.1', - '1.18.0', - '1.19.0', - '1.20.0', - '1.20.0rc1', - '1.20.0rc2', - '1.20.0rc3', - '1.20.1', - '1.21.0rc1', - '1.21.1', - '1.21.1rc1', - '1.22.0', - '1.22.0rc1', - '1.22.1', - '1.23.0', - '1.23.0rc1', - '1.23.1', - '1.24.0', - '1.24.0rc1', - '1.24.1', - '1.24.3', - '1.25.0', - '1.25.0rc1', - '1.26.0', - '1.26.0rc1', - '1.27.0rc1', - '1.27.0rc2', - '1.27.1', - '1.27.2', - '1.28.0rc1', - '1.28.0rc2', - '1.28.1', - '1.29.0', - '1.30.0']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'PYSEC-123', +{ 'affected': [ { 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'events': [ { 'introduced': '1.14.2'}, + {'fixed': '1.31.0'}], + 'type': 'ECOSYSTEM'}, + { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'PyPI'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['grpcio'], - 'public': True, - 'purl': ['pkg:pypi/grpcio'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '123', - 'git', - 'grpcio', - 'https://osv-test/repo/url', - 'osv-test/repo/url', - 'pypi', - 'pysec', - 'pysec-123', - 'repo', - 'url'], - 'search_tags': ['grpcio', 'pysec-123'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:PYSEC-123.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'PYSEC-123', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/worker.py b/gcp/workers/worker/worker.py index 4b80ed4c34a..a47cfdd09a8 100644 --- a/gcp/workers/worker/worker.py +++ b/gcp/workers/worker/worker.py @@ -18,6 +18,7 @@ import json import logging import os +import pygit2 import redis import requests import resource @@ -32,14 +33,15 @@ from google.cloud import pubsub_v1 from google.cloud import storage from google.cloud.storage import retry -from google.protobuf import json_format +from google.protobuf import json_format, timestamp_pb2 sys.path.append(os.path.dirname(os.path.realpath(__file__))) import osv -import osv.ecosystems import osv.cache +import osv.ecosystems +import osv.gcs import osv.logs -from osv import vulnerability_pb2 +from osv import vulnerability_pb2, purl_helpers import oss_fuzz from vanir import vulnerability_manager @@ -161,17 +163,6 @@ def clean_artifacts(oss_fuzz_dir): shutil.rmtree(build_dir, ignore_errors=True) -def mark_bug_invalid(message): - """Mark a bug as invalid.""" - source_id = get_source_id(message) - for bug in osv.Bug.query(osv.Bug.source_id == source_id): - bug.withdrawn = datetime.datetime.now(datetime.UTC) - bug.status = osv.BugStatus.INVALID - bug.put() - - osv.delete_affected_commits(bug.key.id()) - - def get_source_id(message): """Get message ID.""" source_id = message.attributes['source_id'] @@ -278,7 +269,9 @@ def fix_invalid_ghsa(vulnerability): return True -def maybe_normalize_package_names(vulnerability): +def maybe_normalize_package_names( + vulnerability: vulnerability_pb2.Vulnerability +) -> vulnerability_pb2.Vulnerability: """Normalize package names as necessary.""" for affected in vulnerability.affected: if not affected.package.ecosystem: @@ -331,6 +324,7 @@ def _source_update(self, message): path = message.attributes['path'] original_sha256 = message.attributes['original_sha256'] deleted = message.attributes['deleted'] == 'true' + skip_hash_check = message.attributes.get('skip_hash_check') == 'true' source_repo = osv.get_source_repository(source) if source_repo is None: @@ -346,8 +340,8 @@ def _source_update(self, message): vuln_path = os.path.join(osv.repo_path(repo), path) if not os.path.exists(vuln_path): logging.info('%s was deleted.', vuln_path) - if deleted: - self._handle_deleted(source_repo, path) + if deleted or skip_hash_check: + self._handle_deleted(path) return @@ -365,7 +359,7 @@ def _source_update(self, message): current_sha256 = osv.sha256(vuln_path) elif source_repo.type == osv.SourceRepositoryType.BUCKET: if deleted: - self._handle_deleted(source_repo, path) + self._handle_deleted(path) return storage_client = storage.Client() bucket = storage_client.bucket(source_repo.bucket) @@ -373,6 +367,8 @@ def _source_update(self, message): blob = bucket.blob(path).download_as_bytes(retry=retry.DEFAULT_RETRY) except google.cloud.exceptions.NotFound: logging.exception('Bucket path %s does not exist.', path) + if skip_hash_check: + self._handle_deleted(path) return current_sha256 = osv.sha256_bytes(blob) @@ -388,12 +384,14 @@ def _source_update(self, message): repo = None elif source_repo.type == osv.SourceRepositoryType.REST_ENDPOINT: if deleted: - self._handle_deleted(source_repo, path) + self._handle_deleted(path) return vulnerabilities = [] request = requests.get(source_repo.link + path, timeout=_TIMEOUT_SECONDS) if request.status_code != 200: logging.error('Failed to fetch REST API: %s', request.status_code) + if request.status_code == 404 and skip_hash_check: + self._handle_deleted(path) return vuln = request.json() try: @@ -406,7 +404,7 @@ def _source_update(self, message): else: raise RuntimeError('Unsupported SourceRepository type.') - if current_sha256 != original_sha256: + if not skip_hash_check and current_sha256 != original_sha256: logging.warning( 'sha256sum of %s no longer matches (expected=%s vs current=%s).', path, original_sha256, current_sha256) @@ -427,36 +425,71 @@ def _source_update(self, message): for vulnerability in vulnerabilities: self._do_update(source_repo, repo, vulnerability, path, original_sha256) - def _handle_deleted(self, source_repo, vuln_path): - """Handle existing bugs that have been subsequently deleted at their source. + def _handle_deleted(self, vuln_path: str): + """Handle existing vulns that have been subsequently deleted at their + source. Args: - source_repo: Source repository. vuln_path: Path to vulnerability. - This marks the Bug as INVALID and as withdrawn. + This marks the Vulnerability as withdrawn. """ vuln_id = os.path.splitext(os.path.basename(vuln_path))[0] - bug = osv.Bug.get_by_id(vuln_id) - if not bug: - logging.error('Failed to find Bug with ID %s', vuln_id) - return + vuln_and_gen = osv.gcs.get_by_id_with_generation(vuln_id) + gcs_gen = None + proto_vuln = None + + def xact(): + nonlocal gcs_gen + nonlocal proto_vuln + ds_vuln: osv.Vulnerability = osv.Vulnerability.get_by_id(vuln_id) + if not ds_vuln: + logging.error('Failed to find Vulnerability with ID %s', vuln_id) + return - bug_source_path = osv.source_path(source_repo, bug) - if bug_source_path != vuln_path: - logging.error('Request path %s does not match %s, aborting.', vuln_path, - bug_source_path) - return + _, _, ds_path = ds_vuln.source_id.partition(':') - logging.info('Marking %s as invalid and withdrawn.', vuln_id) - bug.status = osv.BugStatus.INVALID - if not bug.withdrawn: # in case this was already withdrawn for some reason - bug.withdrawn = datetime.datetime.now(datetime.UTC) - if bug.last_modified: - bug.last_modified = max(bug.withdrawn, bug.last_modified) - else: - bug.last_modified = bug.withdrawn - bug.put() + if ds_path != vuln_path: + logging.error('Request path %s does not match %s, aborting.', vuln_path, + ds_path) + return + + logging.info('Marking %s as withdrawn.', vuln_id) + if not vuln_and_gen: + logging.error('Failed to find Vulnerability with ID %s in GCS', vuln_id) + # contruct an empty withdrawn vuln + proto_vuln = vulnerability_pb2.Vulnerability(id=vuln_id) + else: + proto_vuln, gcs_gen = vuln_and_gen + + if not proto_vuln.HasField('withdrawn'): + # in case this was already withdrawn for some reason + proto_vuln.withdrawn.FromDatetime(datetime.datetime.now(datetime.UTC)) + if (not proto_vuln.HasField('modified') or + proto_vuln.withdrawn.ToDatetime( + datetime.UTC) > proto_vuln.modified.ToDatetime(datetime.UTC)): + proto_vuln.modified.CopyFrom(proto_vuln.withdrawn) + ds_vuln.is_withdrawn = True + ds_vuln.modified = proto_vuln.modified.ToDatetime(datetime.UTC) + osv.models.put_entities(ds_vuln, proto_vuln) + + try: + ndb.transaction(xact) + except (google.api_core.exceptions.Cancelled, ndb.exceptions.Error) as e: + e.add_note(f'Happened processing {vuln_id}') + logging.exception('Unexpected exception while writing %s to Datastore', + vuln_id) + raise + if not proto_vuln: + return + try: + osv.gcs.upload_vulnerability(proto_vuln, gcs_gen) + except Exception: + # Writing to bucket failed for some reason. + # Send a pub/sub message to retry. + logging.error('Writing to bucket failed for %s', vuln_id) + data = proto_vuln.SerializeToString(deterministic=True) + osv.pubsub.publish_failure(data, type='gcs_retry') def _push_new_ranges_and_versions(self, source_repo, repo, vulnerability, output_path, original_sha256): @@ -472,17 +505,12 @@ def _push_new_ranges_and_versions(self, source_repo, repo, vulnerability, output_path: original_sha256, }) - def _analyze_vulnerability(self, source_repo, repo, vulnerability, path, - original_sha256): + def _analyze_vulnerability(self, source_repo: osv.SourceRepository, + repo: pygit2.Repository | None, + vulnerability: vulnerability_pb2.Vulnerability, + path: str, + original_sha256: str) -> osv.AnalyzeResult: """Analyze vulnerability and push new changes.""" - # Add OSS-Fuzz - added_fix_info = False - bug = osv.Bug.get_by_id(vulnerability.id) - if bug: - fix_result = osv.FixResult.get_by_id(bug.source_id) - if fix_result: - added_fix_info = add_fix_information(vulnerability, fix_result) - result = osv.analyze( vulnerability, checkout_path=os.path.join(self._work_dir, 'checkout'), @@ -491,12 +519,14 @@ def _analyze_vulnerability(self, source_repo, repo, vulnerability, path, versions_from_repo=source_repo.versions_from_repo, consider_all_branches=source_repo.consider_all_branches) - if not result.has_changes and not added_fix_info: + if not result.has_changes: return result if not source_repo.editable: return result - + # NB: Only OSS-Fuzz is editable - all other sources are read-only. + # This should not be reachable by this worker. + logging.error('Source %s flagged as editable', source_repo.name) output_path = os.path.join(osv.repo_path(repo), path) if self._push_new_ranges_and_versions(source_repo, repo, vulnerability, output_path, original_sha256): @@ -508,7 +538,9 @@ def _analyze_vulnerability(self, source_repo, repo, vulnerability, path, vulnerability.id) raise UpdateConflictError - def _generate_vanir_signatures(self, vulnerability): + def _generate_vanir_signatures( + self, vulnerability: vulnerability_pb2.Vulnerability + ) -> vulnerability_pb2.Vulnerability: """Generates Vanir signatures for a vulnerability.""" if not any(r.type == vulnerability_pb2.Range.GIT for affected in vulnerability.affected @@ -545,8 +577,10 @@ def _generate_vanir_signatures(self, vulnerability): vulnerability.id) return vulnerability - def _do_update(self, source_repo, repo, vulnerability, relative_path, - original_sha256): + def _do_update(self, source_repo: osv.SourceRepository, + repo: pygit2.Repository | None, + vulnerability: vulnerability_pb2.Vulnerability, + relative_path: str, original_sha256: str): """Process updates on a vulnerability.""" _state.bug_id = vulnerability.id logging.info('Processing update for vulnerability %s', vulnerability.id) @@ -569,70 +603,139 @@ def _do_update(self, source_repo, repo, vulnerability, relative_path, # Discard changes due to conflict. return - # Fetch the current state from Datastore. - bug = osv.Bug.get_by_id(vulnerability.id) - is_new_bug = bug is None - - has_changed = False - if is_new_bug: - has_changed = True - if source_repo.name == 'oss-fuzz': - logging.warning('%s not found for OSS-Fuzz source.', vulnerability.id) - return - - bug = osv.Bug( - db_id=vulnerability.id, - timestamp=osv.utcnow(), - status=osv.BugStatus.PROCESSED, - source_of_truth=osv.SourceOfTruth.SOURCE_REPO) - else: - # Compare the newly enriched vulnerability with the stored one. - # Create a 'pure' vulnerability object from the existing bug for - # comparison, excluding external data that would cause false positives. - old_vulnerability = bug.to_vulnerability( - include_source=False, include_alias=False, include_upstream=False) - - # Clear modified timestamps for a clean comparison. - old_vulnerability.modified.Clear() - vulnerability.modified.Clear() - - if old_vulnerability != vulnerability: + vuln_and_gen = osv.gcs.get_by_id_with_generation(vulnerability.id) + gcs_gen = None + + def xact(): + # Fetch the current state from Datastore. + nonlocal gcs_gen + ds_vuln = osv.Vulnerability.get_by_id(vulnerability.id) + is_new_bug = ds_vuln is None + + # Compute the related fields here first. + # TODO(michaelkedar): Make a related computation in relations cron + related_raw = vulnerability.related + q = osv.Vulnerability.query( + osv.Vulnerability.related_raw == vulnerability.id) + related = set(vulnerability.related).union(set(r.id for r in q)) + vulnerability.related[:] = sorted(related) + + old_published = None + + # Update the schema version + # TODO(michaelkedar): osv.SCHEMA_VERSION is not kept up to date with + # the osv-schema submodule + vulnerability.schema_version = osv.SCHEMA_VERSION + # Add PURLs and source if they are missing. + source_link = None + if source_repo and source_repo.link: + source_link = source_repo.link + relative_path + for affected in vulnerability.affected: + if not affected.package.purl: + if purl := purl_helpers.package_to_purl( + osv.ecosystems.normalize(affected.package.ecosystem), + affected.package.name): + affected.package.purl = purl + if source_link: + affected.database_specific.update({'source': source_link}) + + has_changed = False + if is_new_bug: has_changed = True + ds_vuln = osv.Vulnerability( + id=vulnerability.id, + source_id=f'{source_repo.name}:{relative_path}', + ) + else: + # Compare the newly enriched vulnerability with the stored one. + # Create a 'pure' vulnerability object from the existing vuln for + # comparison, excluding external data that would cause false positives. + if vuln_and_gen is None: + logging.warning('Vulnerability %s found in Datastore but not in GCS.', + vulnerability.id) + # We need to write the vuln in this case + has_changed = True + else: + old_vulnerability, gcs_gen = vuln_and_gen + if old_vulnerability.HasField('published'): + old_published = timestamp_pb2.Timestamp() + old_published.CopyFrom(old_vulnerability.published) + new_vulnerability = vulnerability_pb2.Vulnerability() + new_vulnerability.CopyFrom(vulnerability) + + # Clear modified/published timestamps for a clean comparison. + old_vulnerability.modified.Clear() + new_vulnerability.modified.Clear() + old_vulnerability.published.Clear() + new_vulnerability.published.Clear() + # Clear aliases and upstream, as they are computed separately. + old_vulnerability.aliases.clear() + new_vulnerability.aliases.clear() + old_vulnerability.upstream.clear() + new_vulnerability.upstream.clear() + + has_changed = old_vulnerability != new_vulnerability + + ds_vuln.is_withdrawn = vulnerability.HasField('withdrawn') + ds_vuln.modified_raw = orig_modified_date + ds_vuln.alias_raw = list(vulnerability.aliases) + ds_vuln.related_raw = list(related_raw) + ds_vuln.upstream_raw = list(vulnerability.upstream) + # Update the bug entity based on the comparison. + if has_changed: + ds_vuln.modified = osv.utcnow() + else: + # If no meaningful change, ensure last_modified reflects the source + # file's modified date, as only metadata might have changed. + ds_vuln.modified = orig_modified_date + + # Overwrite aliases / upstream from computation + alias_group = osv.AliasGroup.query( + osv.AliasGroup.bug_ids == vulnerability.id).get() + if alias_group: + aliases = sorted(set(alias_group.bug_ids) - {vulnerability.id}) + vulnerability.aliases[:] = aliases + ds_vuln.modified = max(alias_group.last_modified, ds_vuln.modified) + upstream_group = osv.UpstreamGroup.query( + osv.UpstreamGroup.db_id == vulnerability.id).get() + if upstream_group: + vulnerability.upstream[:] = sorted(upstream_group.upstream_ids) + ds_vuln.modified = max(upstream_group.last_modified, ds_vuln.modified) + # Make sure modified date is >= withdrawn date + if ds_vuln.is_withdrawn and vulnerability.withdrawn.ToDatetime( + datetime.UTC) > ds_vuln.modified: + ds_vuln.modified = vulnerability.withdrawn.ToDatetime(datetime.UTC) + + vulnerability.modified.FromDatetime(ds_vuln.modified) + + # Make sure vuln has a published date + if not vulnerability.HasField('published'): + if old_published: + vulnerability.published.CopyFrom(old_published) + else: + vulnerability.published.CopyFrom(vulnerability.modified) + + osv.models.put_entities(ds_vuln, vulnerability) + osv.update_affected_commits(vulnerability.id, result.commits, True) - # Update the bug entity based on the comparison. - if has_changed: - bug.update_from_vulnerability(vulnerability) - bug.last_modified = osv.utcnow() - else: - # If no meaningful change, ensure last_modified reflects the source file's - # modified date, as only metadata might have changed. - bug.last_modified = orig_modified_date - - bug.public = True - bug.import_last_modified = orig_modified_date - # OSS-Fuzz sourced bugs use a different format for source_id. - if source_repo.name != 'oss-fuzz' or not bug.source_id: - bug.source_id = f'{source_repo.name}:{relative_path}' - - if bug.withdrawn: - bug.status = osv.BugStatus.INVALID - else: - bug.status = osv.BugStatus.PROCESSED - - if not vulnerability.affected: - logging.info('%s does not affect any packages. Marking as invalid.', - vulnerability.id) - bug.status = osv.BugStatus.INVALID try: - bug.put() + ndb.transaction(xact) except (google.api_core.exceptions.Cancelled, ndb.exceptions.Error) as e: e.add_note(f'Happened processing {vulnerability.id}') logging.exception('Unexpected exception while writing %s to Datastore', vulnerability.id) + raise + try: + osv.gcs.upload_vulnerability(vulnerability, gcs_gen) + except Exception: + # Writing to bucket failed for some reason. + # Send a pub/sub message to retry. + logging.error('Writing to bucket failed for %s', vulnerability.id) + data = vulnerability.SerializeToString(deterministic=True) + osv.pubsub.publish_failure(data, type='gcs_retry') - osv.update_affected_commits(bug.key.id(), result.commits, bug.public) self._notify_ecosystem_bridge(vulnerability) - self._maybe_remove_import_findings(bug) + self._maybe_remove_import_findings(vulnerability.id) def _notify_ecosystem_bridge(self, vulnerability): """Notify ecosystem bridges.""" @@ -652,12 +755,12 @@ def _notify_ecosystem_bridge(self, vulnerability): push_topic, data=json.dumps(osv.vulnerability_to_dict(vulnerability)).encode()) - def _maybe_remove_import_findings(self, vulnerability: osv.Bug): - """Remove any stale import findings for a successfully processed Bug,""" + def _maybe_remove_import_findings(self, vuln_id: str): + """Remove any stale import findings for a successfully processed Vuln,""" - finding = osv.ImportFinding.get_by_id(vulnerability.id()) + finding = osv.ImportFinding.get_by_id(vuln_id) if finding: - logging.info('Removing stale import finding for %s', vulnerability.id()) + logging.info('Removing stale import finding for %s', vuln_id) finding.key.delete() def _do_process_task(self, subscriber, subscription, ack_id, message, diff --git a/gcp/workers/worker/worker_test.py b/gcp/workers/worker/worker_test.py index 2e4fc8dc540..15997c87142 100644 --- a/gcp/workers/worker/worker_test.py +++ b/gcp/workers/worker/worker_test.py @@ -18,8 +18,8 @@ import hashlib from gcp.workers.mock_test.mock_test_handler import MockDataHandler import http.server +import logging import os -import shutil import tempfile import threading import warnings @@ -27,11 +27,12 @@ from unittest import mock from google.cloud import ndb +from google.protobuf.json_format import MessageToDict import pygit2 import osv from osv import tests -import oss_fuzz +from osv import vulnerability_pb2 import worker TEST_BUCKET = 'test-osv-source-bucket' @@ -58,550 +59,6 @@ def _sha256(test_name): return hasher.hexdigest() -class OssFuzzDetailsTest(unittest.TestCase): - """Details generation tests.""" - - def test_basic(self): - """Basic tests.""" - crash_type = 'Heap-buffer-overflow' - crash_state = 'Foo\nBar\nBlah\n' - - summary = oss_fuzz.get_oss_fuzz_summary(crash_type, crash_state) - self.assertEqual('Heap-buffer-overflow in Foo', summary) - - details = oss_fuzz.get_oss_fuzz_details('1337', crash_type, crash_state) - self.assertEqual( - 'OSS-Fuzz report: ' - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1337\n\n' - '```\n' - 'Crash type: Heap-buffer-overflow\n' - 'Crash state:\n' - 'Foo\n' - 'Bar\n' - 'Blah\n```\n', - details, - ) - - def test_no_issue(self): - """Test generating details without an issue ID.""" - crash_type = 'Heap-buffer-overflow' - crash_state = 'Foo\nBar\nBlah\n' - - details = oss_fuzz.get_oss_fuzz_details('', crash_type, crash_state) - self.assertEqual( - '```\n' - 'Crash type: Heap-buffer-overflow\n' - 'Crash state:\n' - 'Foo\n' - 'Bar\n' - 'Blah\n```\n', - details, - ) - - def test_assert(self): - """Basic assertion failures.""" - crash_type = 'ASSERT' - crash_state = 'idx < length\nFoo\nBar\n' - - summary = oss_fuzz.get_oss_fuzz_summary(crash_type, crash_state) - self.assertEqual('ASSERT: idx < length', summary) - - details = oss_fuzz.get_oss_fuzz_details('1337', crash_type, crash_state) - self.assertEqual( - 'OSS-Fuzz report: ' - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1337\n\n' - '```\n' - 'Crash type: ASSERT\n' - 'Crash state:\n' - 'idx < length\n' - 'Foo\n' - 'Bar\n```\n', - details, - ) - - def test_bad_cast(self): - """Basic bad casts.""" - crash_type = 'Bad-cast' - crash_state = 'Bad-cast to A from B\nFoo\nBar\n' - - summary = oss_fuzz.get_oss_fuzz_summary(crash_type, crash_state) - self.assertEqual('Bad-cast to A from B', summary) - - details = oss_fuzz.get_oss_fuzz_details('1337', crash_type, crash_state) - self.assertEqual( - 'OSS-Fuzz report: ' - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1337\n\n' - '```\n' - 'Crash type: Bad-cast\n' - 'Crash state:\n' - 'Bad-cast to A from B\n' - 'Foo\n' - 'Bar\n```\n', - details, - ) - - -class ImpactTest(unittest.TestCase, tests.ExpectationTest(TEST_DATA_DIR)): - """Impact task tests.""" - - def setUp(self): - ds_emulator.reset() - self.maxDiff = None - - tests.mock_clone(self, return_value=pygit2.Repository('osv-test')) - tests.mock_datetime(self) - - osv.SourceRepository( - id='oss-fuzz', name='oss-fuzz', db_prefix=['OSV-']).put() - - allocated_bug = osv.Bug( - db_id='OSV-2020-1337', - timestamp=datetime.datetime(2020, 1, 1, tzinfo=datetime.UTC), - source_id='oss-fuzz:123', - status=osv.BugStatus.UNPROCESSED, - public=False, - ) - allocated_bug.put() - - # This should be deleted and overwritten with the actual computed commits. - osv.AffectedCommits( - id='OSV-2020-1337-3', bug_id='OSV-2020-1337', page=3).put() - - def test_basic(self): - """Basic test.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.expect_dict_equal('basic', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict()) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'4c155795426727ea05575bd5904321def23c03f4', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - def test_range(self): - """Test commit range.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit=('b1c95a196f22d06fcf80df8c6691cd113d8fefff:' - '36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2'), - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.expect_dict_equal('range', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict()) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'4c155795426727ea05575bd5904321def23c03f4', - b'8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'b9b3fd4732695b83c3068b7b6a14bb372ec31f98', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - def test_fixed_range_too_long(self): - """Test fixed range that's too long.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit=('eefe8ec3f1f90d0e684890e810f3f21e8500a4cd:' - 'b587c21c36a84e16cfc6b39eb68578d43b5281ad'), - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - with self.assertLogs(level='WARNING') as logs: - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.assertEqual(logs.output, - ['WARNING:root:Too many commits in fix range.']) - - self.expect_dict_equal( - 'fixed_range_too_long', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict(), - ) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2', - b'3ea6feea9bb853596c727abab309476cc07d1505', - b'4c155795426727ea05575bd5904321def23c03f4', - b'8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'b9b3fd4732695b83c3068b7b6a14bb372ec31f98', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - def test_zero_regression_range(self): - """Test regression range with '0:X'.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='unknown:eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.expect_dict_equal( - 'zero_regression_range', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict(), - ) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'4c155795426727ea05575bd5904321def23c03f4', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - def test_simplify_range(self): - """Test simplifying commit range.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit=('a2ba949290915d445d34d0e8e9de2e7ce38198fc:' - 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'), - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit=('b1c95a196f22d06fcf80df8c6691cd113d8fefff:' - '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'), - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.expect_dict_equal('simplify_range', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict()) - - def test_not_fixed(self): - """Test not fixed bug.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - with self.assertLogs(level='WARNING') as logs: - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.assertEqual(logs.output, - ['WARNING:root:Missing FixResult for oss-fuzz:123']) - - self.expect_dict_equal('not_fixed', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict()) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2', - b'3ea6feea9bb853596c727abab309476cc07d1505', - b'4c155795426727ea05575bd5904321def23c03f4', - b'88e5ae3c40c85b702ba89a34c29f233048abb12b', - b'8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'b587c21c36a84e16cfc6b39eb68578d43b5281ad', - b'b9b3fd4732695b83c3068b7b6a14bb372ec31f98', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - -class EcosystemTest(unittest.TestCase): - """Test getting ecosystem.""" - - def setUp(self): - self.tmp_dir = tempfile.mkdtemp() - self.oss_fuzz_checkout = os.path.join(self.tmp_dir, 'oss-fuzz') - osv.ensure_updated_checkout(worker.OSS_FUZZ_GIT_URL, self.oss_fuzz_checkout) - - def tearDown(self): - shutil.rmtree(self.tmp_dir, ignore_errors=True) - - def test_get_ecosystem(self): - """Test getting ecosystems.""" - self.assertEqual('PyPI', - oss_fuzz.get_ecosystem(self.oss_fuzz_checkout, 'pillow')) - self.assertEqual( - 'Go', - oss_fuzz.get_ecosystem(self.oss_fuzz_checkout, 'golang-protobuf'), - ) - self.assertEqual( - 'OSS-Fuzz', - oss_fuzz.get_ecosystem(self.oss_fuzz_checkout, 'openssl'), - ) - - -class MarkBugInvalidTest(unittest.TestCase): - """Test mark_bug_invalid.""" - - def setUp(self): - ds_emulator.reset() - - def test_mark_bug_invalid(self): - """Test mark_bug_invalid.""" - osv.SourceRepository( - id='oss-fuzz', name='oss-fuzz', db_prefix=['OSV-']).put() - osv.Bug(db_id='OSV-2021-1', source_id='oss-fuzz:1337').put() - osv.AffectedCommits(bug_id='OSV-2021-1').put() - osv.AffectedCommits(bug_id='OSV-2021-1').put() - - message = mock.Mock() - message.attributes = { - 'type': 'invalid', - 'testcase_id': '1337', - 'source_id': '', - } - - worker.mark_bug_invalid(message) - bug = ndb.Key(osv.Bug, 'OSV-2021-1').get() - self.assertEqual(osv.BugStatus.INVALID, bug.status) - - commits = list(osv.AffectedCommits.query()) - self.assertEqual(0, len(commits)) - - -class FindOssFuzzFixViaCommitTest(unittest.TestCase): - """Test finding OSS-Fuzz fixes via commits.""" - - def setUp(self): - self.repo = pygit2.Repository('osv-test') - - def test_has_issue_id(self): - """Test identifying the commit that has the issue ID.""" - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - '949f182716f037e25394bbb98d39b3295d230a29', - 'oss-fuzz:133713371337', - '12345', - ) - self.assertEqual('57e58a5d7c2bb3ce0f04f17ec0648b92ee82531f', commit) - - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - '25147a74d8aeb27b43665530ee121a2a1b19dc58', - 'oss-fuzz:133713371337', - '12345', - ) - self.assertEqual('25147a74d8aeb27b43665530ee121a2a1b19dc58', commit) - - def test_has_testcase_id(self): - """Test identifying the commit that has the testcase ID.""" - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - '00514d6f244f696e750a37083163992c6a50cfd3', - 'oss-fuzz:133713371337', - '12345', - ) - - self.assertEqual('90aa4127295b2c37b5f7fcf6a9772b12c99a5212', commit) - - def test_has_oss_fuzz_reference(self): - """Test identifying the commit that has the testcase ID.""" - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - 'b1fa81a5d59e9b4d6e276d82fc17058f3cf139d9', - 'oss-fuzz:133713371337', - '12345', - ) - - self.assertEqual('3c5dcf6a5bec14baab3b247d369a7270232e1b83', commit) - - def test_has_multiple_oss_fuzz_reference(self): - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - '949f182716f037e25394bbb98d39b3295d230a29', - 'oss-fuzz:7331', - '54321', - ) - self.assertIsNone(commit) - - class RESTUpdateTest(unittest.TestCase, tests.ExpectationTest(TEST_DATA_DIR)): """Vulnerability update tests.""" @@ -612,6 +69,7 @@ def setUp(self): # Initialise fake source_repo. self.tmp_dir = tempfile.TemporaryDirectory() + self.addCleanup(self.tmp_dir.cleanup) self.source_repo = osv.SourceRepository( type=osv.SourceRepositoryType.REST_ENDPOINT, @@ -638,7 +96,6 @@ def setUp(self): def tearDown(self): self.httpd.shutdown() - self.tmp_dir.cleanup() def test_update(self): """Test updating rest.""" @@ -662,13 +119,17 @@ def test_git_ranges(self): sha = '6138604b5537caab2afc0ee3e2b11f1574fdd5d8f3c6173f64048341cf55aee4' task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, None) - osv.Bug( - db_id='CURL-CVE-2022-32221', - ecosystem=[''], + vuln_pb = vulnerability_pb2.Vulnerability(id='CURL-CVE-2022-32221') + vuln_pb.modified.FromDatetime( + datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln_ds = osv.Vulnerability( + id='CURL-CVE-2022-32221', + modified=datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC), source_id='source:CURL-CVE-2022-32221.json', - import_last_modified=datetime.datetime( - 2020, 1, 1, 0, 0, tzinfo=datetime.UTC), - ).put() + modified_raw=datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC), + ) + osv.put_entities(vuln_ds, vuln_pb) + osv.gcs.upload_vulnerability(vuln_pb) message = mock.Mock() message.attributes = { 'source': 'source', @@ -678,39 +139,9 @@ def test_git_ranges(self): } task_runner._source_update(message) - self.expect_dict_equal('update_no_introduced', - osv.Bug.get_by_id('CURL-CVE-2022-32221')._to_dict()) - - @unittest.skip('Takes too long. ' - 'Also, firestore emulator cannot handle records of this size.') - def test_update_redhat_toobig(self): - """Test failure handling of a too-large Red Hat record.""" - solo_endpoint = 'RHSA-2018:3140' + '.json' - sha = 'a5cc068278ddad5f4c63d9b4f27baf59f296076306a24e850c5edde1b0232b0c' - - self.source_repo.db_prefix.append('RHSA-') - self.source_repo.put() - - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) - message = mock.Mock() - message.attributes = { - 'source': 'source', - 'path': solo_endpoint, - 'original_sha256': sha, - 'deleted': 'false', - } - with self.assertLogs(level='ERROR') as logs: - task_runner._source_update(message) - - self.assertIn( - 'ERROR:root:Not writing new entities for RHSA-2018:3140 since Bug.put() failed', - logs.output[0]) - self.assertIn( - 'ERROR:root:Unexpected exception while writing RHSA-2018:3140 to Datastore', - logs.output[1]) - - self.mock_publish.assert_not_called() + self.expect_dict_equal( + 'update_no_introduced', + MessageToDict(osv.gcs.get_by_id('CURL-CVE-2022-32221'))) class UpdateTest(unittest.TestCase, tests.ExpectationTest(TEST_DATA_DIR)): @@ -727,6 +158,21 @@ def _load_test_data(self, name): with open(os.path.join(TEST_DATA_DIR, name)) as f: return f.read() + def _put_vuln(self, vuln: vulnerability_pb2.Vulnerability, source_id: str): + """Put vulnerability into Datastore and GCS (emulators).""" + ds_vuln = osv.Vulnerability( + id=vuln.id, + source_id=source_id, + modified=vuln.modified.ToDatetime(datetime.UTC), + is_withdrawn=vuln.HasField('withdrawn'), + modified_raw=vuln.modified.ToDatetime(datetime.UTC), + alias_raw=list(vuln.aliases), + related_raw=list(vuln.related), + upstream_raw=list(vuln.upstream), + ) + osv.put_entities(ds_vuln, vuln) + osv.gcs.upload_vulnerability(vuln) + def setUp(self): self.maxDiff = None ds_emulator.reset() @@ -738,6 +184,7 @@ def setUp(self): # Initialise fake source_repo. self.tmp_dir = tempfile.TemporaryDirectory() + self.addCleanup(self.tmp_dir.cleanup) self.mock_repo = tests.mock_repository(self) self.remote_source_repo_path = self.mock_repo.path @@ -773,59 +220,36 @@ def setUp(self): name='source', db_prefix=['OSV-'], repo_url='file://' + self.remote_source_repo_path, - editable=True, + editable=False, repo_username='', ) self.source_repo.put() - osv.Bug( - db_id='OSV-123', - project=['blah.com/package'], - ecosystem=['Go'], - source_id='source:OSV-123.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - osv.Bug( - db_id='OSV-124', - regressed='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - project=['blah.com/package'], - ecosystem=['Go'], - source_id='source:OSV-124.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - osv.Bug( - db_id='OSV-125', - regressed='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - fixed='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - project=['blah.com/package'], - ecosystem=['Go'], - source_id='source:OSV-125.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - osv.Bug( - db_id='OSV-127', - project=['blah.com/package'], - ecosystem=['Go'], - source_id='source:OSV-127.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - osv.Bug( - db_id='OSV-131', - project=['blah.com/package'], - ecosystem=['ecosystem'], - source_id='source:OSV-131.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() + vuln = vulnerability_pb2.Vulnerability(id='OSV-123') + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-123.yaml') + vuln = vulnerability_pb2.Vulnerability(id='OSV-124') + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-124.yaml') + vuln = vulnerability_pb2.Vulnerability(id='OSV-125') + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-125.yaml') + vuln = vulnerability_pb2.Vulnerability(id='OSV-127') + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-127.yaml') + vuln = vulnerability_pb2.Vulnerability(id='OSV-131') + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-131.yaml') mock_publish = mock.patch('google.cloud.pubsub_v1.PublisherClient.publish') self.mock_publish = mock_publish.start() @@ -839,9 +263,6 @@ def setUp(self): 'ecosystem': None, }) - def tearDown(self): - self.tmp_dir.cleanup() - def test_update(self): """Test basic update.""" task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, @@ -855,16 +276,8 @@ def test_update(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-123', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_update', diff.patch) - self.expect_dict_equal('update', osv.Bug.get_by_id('OSV-123')._to_dict()) + self.expect_dict_equal('update', + MessageToDict(osv.gcs.get_by_id('OSV-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -896,17 +309,8 @@ def test_update_limit(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-128', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_update_limit', diff.patch) self.expect_dict_equal('update_limit', - osv.Bug.get_by_id('OSV-128')._to_dict()) + MessageToDict(osv.gcs.get_by_id('OSV-128'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -922,52 +326,6 @@ def test_update_limit(self): [codecs.encode(commit, 'hex') for commit in affected_commits.commits], ) - def test_update_add_fix(self): - """Test basic update adding a fix.""" - fix_result = osv.FixResult( - id='source:OSV-124.yaml', - repo_url='https://osv-test/repo/url', - commit='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - ) - fix_result.put() - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) - message = mock.Mock() - message.attributes = { - 'source': 'source', - 'path': 'OSV-124.yaml', - 'original_sha256': _sha256('OSV-124.yaml'), - 'deleted': 'false', - } - task_runner._source_update(message) - - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-124', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_update_add_fix', diff.patch) - self.expect_dict_equal('update_add_fix', - osv.Bug.get_by_id('OSV-124')._to_dict()) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'4c155795426727ea05575bd5904321def23c03f4', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - def test_update_no_introduced(self): """Test update vulnerability with no introduced commit.""" task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, @@ -982,17 +340,8 @@ def test_update_no_introduced(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-127', commit.message) - diff = repo.diff(commit.parents[0], commit) - self.expect_dict_equal('update_no_introduced', - osv.Bug.get_by_id('OSV-127')._to_dict()) - self.expect_equal('diff_update_no_introduced', diff.patch) + MessageToDict(osv.gcs.get_by_id('OSV-127'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1038,52 +387,36 @@ def test_update_new(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-126', commit.message) - self.expect_dict_equal('update_new', - osv.Bug.get_by_id('OSV-126')._to_dict()) + MessageToDict(osv.gcs.get_by_id('OSV-126'))) def test_update_delete(self): """Test deletion.""" task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, None) - self.mock_repo.delete_file('OSV-123.yaml') - self.mock_repo.commit('User', 'user@email') - message = mock.Mock() message.attributes = { 'source': 'source', 'path': 'OSV-123.yaml', 'original_sha256': _sha256('OSV-123.yaml'), - 'deleted': 'true', + 'deleted': 'false', } task_runner._source_update(message) - bug = osv.Bug.get_by_id('OSV-123') - self.assertEqual(osv.BugStatus.INVALID, bug.status) + self.mock_repo.delete_file('OSV-123.yaml') + self.mock_repo.commit('User', 'user@email') - def test_update_no_changes(self): - """Test basic update (with no changes).""" - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) message = mock.Mock() message.attributes = { 'source': 'source', - 'path': 'OSV-125.yaml', - 'original_sha256': _sha256('OSV-125.yaml'), - 'deleted': 'false', + 'path': 'OSV-123.yaml', + 'original_sha256': _sha256('OSV-123.yaml'), + 'deleted': 'true', } task_runner._source_update(message) - - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('user@email', commit.author.email) - self.assertEqual('User', commit.author.name) + vuln = osv.Vulnerability.get_by_id('OSV-123') + self.assertTrue(vuln.is_withdrawn) + vuln_pb = osv.gcs.get_by_id('OSV-123') + self.assertTrue(vuln_pb.HasField('withdrawn')) def test_update_conflict(self): """Test basic update with a conflict.""" @@ -1106,65 +439,6 @@ def test_update_conflict(self): ], ) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - # Latest commit is still the user commit. - self.assertEqual('user@email', commit.author.email) - self.assertEqual('User', commit.author.name) - - def test_update_conflict_while_pushing(self): - """Test basic update with a conflict while pushing.""" - original_push_source_changes = osv.push_source_changes - - def mock_push_source_changes(*args, **kwargs): - self.mock_repo.add_file('OSV-123.yaml', 'changed') - self.mock_repo.commit('Another user', 'user@email') - - original_push_source_changes(*args, **kwargs) - - patcher = mock.patch('osv.push_source_changes') - self.addCleanup(patcher.stop) - patcher.start().side_effect = mock_push_source_changes - - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) - message = mock.Mock() - message.attributes = { - 'source': 'source', - 'path': 'OSV-123.yaml', - 'original_sha256': _sha256('OSV-123.yaml'), - 'deleted': 'false', - } - - with self.assertLogs(level='WARNING') as logs: - task_runner._source_update(message) - - self.assertEqual(len(logs.output), 4) - self.assertEqual( - logs.output[0], - 'ERROR:absl:Code extraction failed for OSV-123 (Unsupported ecosystem: Go). Skipping affected[0]', - ) - self.assertEqual( - logs.output[1], - 'WARNING:root:Failed to push: cannot push because a reference that you are trying to update on the remote contains commits that are not present locally.', - ) - self.assertRegex( - logs.output[2], - r'WARNING:root:Upstream hash for .*/OSV-123.yaml changed \(expected=.* vs current=.*\)', - ) - self.assertEqual( - logs.output[3], - 'WARNING:root:Discarding changes for OSV-123 due to conflicts.', - ) - - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - # Latest commit is still the user commit. - self.assertEqual('user@email', commit.author.email) - self.assertEqual('Another user', commit.author.name) - def test_update_pypi(self): """Test a PyPI entry.""" self.source_repo.ignore_git = False @@ -1189,17 +463,8 @@ def test_update_pypi(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update PYSEC-123', commit.message) - diff = repo.diff(commit.parents[0], commit) - self.expect_equal('diff_pypi', diff.patch) - self.expect_dict_equal('update_pypi', - ndb.Key(osv.Bug, 'PYSEC-123').get()._to_dict()) + MessageToDict(osv.gcs.get_by_id('PYSEC-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1239,16 +504,8 @@ def test_normalize_pypi(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_normalized_pypi', diff.patch) - - self.expect_dict_equal( - 'normalized_pypi', - ndb.Key(osv.Bug, 'PYSEC-456').get()._to_dict(), - ) + self.expect_dict_equal('normalized_pypi', + MessageToDict(osv.gcs.get_by_id('PYSEC-456'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1289,19 +546,8 @@ def test_update_last_affected(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update PYSEC-124', commit.message) - diff = repo.diff(commit.parents[0], commit) - self.expect_equal('diff_last_affected', diff.patch) - - self.expect_dict_equal( - 'update_last_affected', - ndb.Key(osv.Bug, 'PYSEC-124').get()._to_dict(), - ) + self.expect_dict_equal('update_last_affected', + MessageToDict(osv.gcs.get_by_id('PYSEC-124'))) def test_update_maven(self): """Test updating maven.""" @@ -1328,34 +574,22 @@ def test_update_maven(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update GHSA-838r-hvwh-24h8', commit.message) - diff = repo.diff(commit.parents[0], commit) - self.expect_equal('diff_maven', diff.patch) - self.expect_dict_equal( - 'update_maven', - ndb.Key(osv.Bug, 'GHSA-838r-hvwh-24h8').get()._to_dict(), - ) + 'update_maven', MessageToDict(osv.gcs.get_by_id('GHSA-838r-hvwh-24h8'))) self.mock_publish.assert_not_called() def test_update_linux(self): """Test a Linux entry.""" - self.skipTest("Prefix not supported by schema") self.source_repo.ignore_git = False self.source_repo.versions_from_repo = False self.source_repo.detect_cherrypicks = False - self.source_repo.db_prefix.append('LINUX-') + self.source_repo.db_prefix.append('GSD-') self.source_repo.put() self.mock_repo.add_file( - 'LINUX-123.yaml', - self._load_test_data(os.path.join(TEST_DATA_DIR, 'LINUX-123.yaml')), + 'GSD-123.yaml', + self._load_test_data(os.path.join(TEST_DATA_DIR, 'GSD-123.yaml')), ) self.mock_repo.commit('User', 'user@email') task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, @@ -1363,16 +597,14 @@ def test_update_linux(self): message = mock.Mock() message.attributes = { 'source': 'source', - 'path': 'LINUX-123.yaml', - 'original_sha256': _sha256('LINUX-123.yaml'), + 'path': 'GSD-123.yaml', + 'original_sha256': _sha256('GSD-123.yaml'), 'deleted': 'false', } task_runner._source_update(message) - self.expect_dict_equal( - 'update_linux', - ndb.Key(osv.Bug, 'LINUX-123').get()._to_dict(), - ) + self.expect_dict_equal('update_linux', + MessageToDict(osv.gcs.get_by_id('GSD-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1408,7 +640,7 @@ def test_update_bucket(self): task_runner._source_update(message) self.expect_dict_equal('update_bucket_0', - osv.Bug.get_by_id('GO-2021-0085')._to_dict()) + MessageToDict(osv.gcs.get_by_id('GO-2021-0085'))) def test_update_debian(self): """Test updating debian.""" @@ -1434,20 +666,8 @@ def test_update_debian(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update DSA-3029-1', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_debian', diff.patch) - - self.expect_dict_equal( - 'update_debian', - ndb.Key(osv.Bug, 'DSA-3029-1').get()._to_dict(), - ) + self.expect_dict_equal('update_debian', + MessageToDict(osv.gcs.get_by_id('DSA-3029-1'))) self.mock_publish.assert_not_called() @@ -1476,22 +696,8 @@ def test_update_alpine(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update CVE-2022-27449', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_alpine', diff.patch) - - self.expect_dict_equal( - 'update_alpine', - ndb.Key(osv.Bug, 'CVE-2022-27449').get()._to_dict(), - ) - - self.mock_publish.assert_not_called() + self.expect_dict_equal('update_alpine', + MessageToDict(osv.gcs.get_by_id('CVE-2022-27449'))) def test_update_android(self): """Test updating Android through bucket entries.""" @@ -1515,7 +721,7 @@ def test_update_android(self): task_runner._source_update(message) self.expect_dict_equal('update_bucket_2', - osv.Bug.get_by_id('ASB-A-153358911')._to_dict()) + MessageToDict(osv.gcs.get_by_id('ASB-A-153358911'))) def test_update_bad_ecosystem_new(self): """Test adding from an unsupported ecosystem.""" @@ -1538,8 +744,8 @@ def test_update_bad_ecosystem_new(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - bug = osv.Bug.get_by_id('OSV-129') - self.assertEqual(osv.BugStatus.INVALID, bug.status) + self.expect_dict_equal('update_bad_ecosystem_new', + MessageToDict(osv.gcs.get_by_id('OSV-129'))) def test_update_partly_bad_ecosystem_new(self): """Test adding vuln with both supported and unsupported ecosystem.""" @@ -1562,17 +768,8 @@ def test_update_partly_bad_ecosystem_new(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-130', commit.message) - - self.expect_dict_equal( - 'update_partly_bad_ecosystem_new', - osv.Bug.get_by_id('OSV-130')._to_dict(), - ) + self.expect_dict_equal('update_partly_bad_ecosystem_new', + MessageToDict(osv.gcs.get_by_id('OSV-130'))) def test_update_partly_bad_ecosystem_delete(self): """Test removal of only supported ecosystem in vulnerability with @@ -1591,8 +788,8 @@ def test_update_partly_bad_ecosystem_delete(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - bug = osv.Bug.get_by_id('OSV-131') - self.assertEqual(osv.BugStatus.INVALID, bug.status) + self.expect_dict_equal('update_partly_bad_ecosystem_delete', + MessageToDict(osv.gcs.get_by_id('OSV-131'))) def test_update_bucket_cve(self): """Test a bucket entry that is a converted CVE and doesn't have an ecosystem.""" @@ -1616,9 +813,8 @@ def test_update_bucket_cve(self): } task_runner._source_update(message) - processed_result = osv.Bug.get_by_id('CVE-2016-15011') - - self.expect_dict_equal('update_bucket_cve', processed_result._to_dict()) + self.expect_dict_equal('update_bucket_cve', + MessageToDict(osv.gcs.get_by_id('CVE-2016-15011'))) def test_last_affected_git(self): """Basic last_affected GIT enumeration.""" @@ -1647,16 +843,9 @@ def test_last_affected_git(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_last_affected_git', diff.patch) - self.expect_dict_equal( 'last_affected_git', - ndb.Key(osv.Bug, 'OSV-TEST-last-affected-01').get()._to_dict(), - ) + MessageToDict(osv.gcs.get_by_id('OSV-TEST-last-affected-01'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1671,52 +860,6 @@ def test_last_affected_git(self): [codecs.encode(commit, 'hex') for commit in affected_commits.commits], ) - def test_invalid_prefix(self): - """Test attempting to create a bug with a invalid db_prefix.""" - with self.assertRaises(ValueError): - # Default db_prefix is `OSV-` - osv.Bug( - db_id='BLAH-131', - project=['blah.com/package'], - ecosystem=['ecosystem'], - source_id='source:OSV-131.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - - def test_dont_index_too_many_git_versions(self): - """Test that we don't index too many versions from Git.""" - self.source_repo.ignore_git = False - self.source_repo.versions_from_repo = True - self.source_repo.detect_cherrypicks = True - self.source_repo.put() - - # Use any valid OSV input test file here. - self.mock_repo.add_file( - 'OSV-TEST-last-affected-01.yaml', - self._load_test_data( - os.path.join(TEST_DATA_DIR, 'OSV-TEST-last-affected-01.yaml')), - ) - self.mock_repo.commit('User', 'user@email') - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) - message = mock.Mock() - message.attributes = { - 'source': 'source', - 'path': 'OSV-TEST-last-affected-01.yaml', - 'original_sha256': _sha256('OSV-TEST-last-affected-01.yaml'), - 'deleted': 'false', - } - task_runner._source_update(message) - - bug = ndb.Key(osv.Bug, 'OSV-TEST-last-affected-01').get() - - # Manually append versions over the expected version limit. - bug.affected_packages[0].versions = ['%05d' % i for i in range(5001)] - bug.put() - self.expect_dict_equal('dont_index_too_many_git_versions', bug._to_dict()) - def test_update_clears_stale_import_finding(self): """A subsequent successful update removes the now stale import finding.""" @@ -1765,13 +908,52 @@ def test_ubuntu_severity(self): } task_runner._source_update(message) - bug = ndb.Key(osv.Bug, 'UBUNTU-CVE-2025-38094').get() - self.expect_dict_equal('ubuntu_severity_type', bug._to_dict()) + self.expect_dict_equal( + 'ubuntu_severity_type', + MessageToDict(osv.gcs.get_by_id('UBUNTU-CVE-2025-38094'))) + + def test_update_skip_hash_check(self): + """Test update with skip_hash_check=true.""" + task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, + None) + # Case 1: File exists, hash mismatch but skipped + message = mock.Mock() + message.attributes = { + 'source': 'source', + 'path': 'OSV-123.yaml', + 'original_sha256': 'mismatch', + 'deleted': 'false', + 'skip_hash_check': 'true', + } + + # Should not log warning about hash mismatch + with self.assertLogs(level='INFO'): # capture info to ensure no warning + task_runner._source_update(message) + + # Verify it updated (we can check GCS or just that it didn't return early) + self.expect_dict_equal('update', + MessageToDict(osv.gcs.get_by_id('OSV-123'))) + + # Case 2: File missing, skip_hash_check=true -> should delete + self.mock_repo.delete_file('OSV-123.yaml') + self.mock_repo.commit('User', 'user@email') + + message.attributes['original_sha256'] = '' # irrelevant + + task_runner._source_update(message) + + vuln = osv.Vulnerability.get_by_id('OSV-123') + self.assertTrue(vuln.is_withdrawn) + vuln_pb = osv.gcs.get_by_id('OSV-123') + self.assertTrue(vuln_pb.HasField('withdrawn')) def setUpModule(): """Set up the test module.""" print("Starting Datastore Emulator for the test suite...") + # Silence logs coming from Vanir + absl_logger = logging.getLogger('absl') + absl_logger.setLevel(logging.CRITICAL) global ds_emulator, ndb_client # Start the emulator BEFORE creating the ndb client ds_emulator = unittest.enterModuleContext(tests.datastore_emulator()) diff --git a/osv/models.py b/osv/models.py index 73f99a69442..0473bc13fa3 100644 --- a/osv/models.py +++ b/osv/models.py @@ -81,7 +81,7 @@ def _check_valid_event_type(prop, value): raise ValueError('Invalid event type: ' + value) -def utcnow(): +def utcnow() -> datetime.datetime: """For mocking.""" return datetime.datetime.now(datetime.UTC) @@ -960,7 +960,6 @@ class Vulnerability(ndb.Model): # When this record was truly last modified (including e.g. aliases/upstream). modified: datetime.datetime = ndb.DateTimeProperty(tzinfo=datetime.UTC) # Whether this record has been withdrawn - # TODO(michaelkedar): I don't think this is necessary is_withdrawn: bool = ndb.BooleanProperty() # Raw fields from the original source. @@ -1140,8 +1139,6 @@ def populate_entities_from_bug(entity: Bug): include_source=True, include_alias=True, include_upstream=True) def transaction(): - to_put = [] - to_delete = [] vuln = Vulnerability.get_by_id(entity.db_id) if vuln is None: vuln = Vulnerability(id=entity.db_id) @@ -1153,23 +1150,7 @@ def transaction(): vuln.alias_raw = entity.aliases vuln.related_raw = entity.related vuln.upstream_raw = entity.upstream_raw - to_put.append(vuln) - - old_affected = AffectedVersions.query( - AffectedVersions.vuln_id == entity.db_id).fetch() - if vuln.is_withdrawn: - # We do not want the vuln to be searchable if it's been withdrawn. - to_delete.append(ndb.Key(ListedVulnerability, vuln_pb.id)) - to_delete.extend(av.key for av in old_affected) - else: - to_put.append(ListedVulnerability.from_vulnerability(vuln_pb)) - new_affected = affected_from_bug(entity) - added, removed = diff_affected_versions(old_affected, new_affected) - to_put.extend(added) - to_delete.extend(r.key for r in removed) - - ndb.put_multi(to_put) - ndb.delete_multi(to_delete) + put_entities(vuln, vuln_pb) ndb.transaction(transaction) try: @@ -1181,6 +1162,30 @@ def transaction(): pubsub.publish_failure(data, type='gcs_retry') +def put_entities(ds_vuln: Vulnerability, + vuln_pb: vulnerability_pb2.Vulnerability): + """Puts entities (Vulnerability, ListedVulnerability, AffectedVersions) from + a given Vulnerability entity and proto into Datastore. + + Does not write to GCS.""" + to_put = [ds_vuln] + to_delete = [] + old_affected = AffectedVersions.query( + AffectedVersions.vuln_id == vuln_pb.id).fetch() + if ds_vuln.is_withdrawn: + to_delete.append(ndb.Key(ListedVulnerability, vuln_pb.id)) + to_delete.extend(av.key for av in old_affected) + else: + to_put.append(ListedVulnerability.from_vulnerability(vuln_pb)) + new_affected = affected_from_proto(vuln_pb) + added, removed = diff_affected_versions(old_affected, new_affected) + to_put.extend(added) + to_delete.extend(r.key for r in removed) + + ndb.put_multi(to_put) + ndb.delete_multi(to_delete) + + def _get_coarse_min_max(events: list[AffectedEvent], e_helper: ecosystems.OrderedEcosystem, db_id: str) -> tuple[str, str]: @@ -1203,15 +1208,15 @@ def _get_coarse_min_max(events: list[AffectedEvent], # Coarse versioning not yet implemented for this ecosystem. pass except ValueError: - logging.warning('Invalid version in %s', db_id) + logging.warning('Invalid version in %s %s', db_id, events) coarse_min = MIN_COARSE_VERSION coarse_max = MAX_COARSE_VERSION return coarse_min, coarse_max -def _affected_versions_from_package(affected: AffectedPackage, - db_id: str) -> list[AffectedVersions]: +def _affected_versions_from_affected_proto( + affected: vulnerability_pb2.Affected, db_id: str) -> list[AffectedVersions]: """Compute AffectedVersions for a single affected package.""" affected_versions = [] pkg_ecosystem = affected.package.ecosystem @@ -1232,16 +1237,27 @@ def _affected_versions_from_package(affected: AffectedPackage, repo_url = '' pkg_has_affected = False for r in affected.ranges: - if r.type == 'GIT': + if r.type == vulnerability_pb2.Range.Type.GIT: if not repo_url: - repo_url = r.repo_url + repo_url = r.repo continue - if r.type not in ('SEMVER', 'ECOSYSTEM'): - logging.warning('Unknown range type "%s" in %s', r.type, db_id) + if r.type not in (vulnerability_pb2.Range.Type.SEMVER, + vulnerability_pb2.Range.Type.ECOSYSTEM): + logging.warning('Unknown range type "%d" in %s', r.type, db_id) continue - events = r.events - if not events: + if not r.events: continue + events = [] + for e in r.events: + if e.introduced: + events.append(AffectedEvent(type='introduced', value=e.introduced)) + elif e.fixed: + events.append(AffectedEvent(type='fixed', value=e.fixed)) + elif e.limit: + events.append(AffectedEvent(type='limit', value=e.limit)) + elif e.last_affected: + events.append( + AffectedEvent(type='last_affected', value=e.last_affected)) pkg_has_affected = True coarse_min = MIN_COARSE_VERSION coarse_max = MAX_COARSE_VERSION @@ -1285,7 +1301,7 @@ def _affected_versions_from_package(affected: AffectedPackage, vuln_id=db_id, ecosystem=e, name=pkg_name, - versions=affected.versions, + versions=list(affected.versions), coarse_min=coarse_min, coarse_max=coarse_max, )) @@ -1313,18 +1329,19 @@ def _affected_versions_from_package(affected: AffectedPackage, vuln_id=db_id, ecosystem='GIT', name=normalize_repo_package(repo_url), - versions=affected.versions, + versions=list(affected.versions), )) return affected_versions -def affected_from_bug(entity: Bug) -> list[AffectedVersions]: - """Compute the AffectedVersions from a Bug entity.""" +def affected_from_proto( + vuln_pb: vulnerability_pb2.Vulnerability) -> list[AffectedVersions]: + """Compute the AffectedVersions from a Vulnerability proto.""" affected_versions = [] - for affected in entity.affected_packages: + for affected in vuln_pb.affected: affected_versions.extend( - _affected_versions_from_package(affected, entity.db_id)) + _affected_versions_from_affected_proto(affected, vuln_pb.id)) # Deduplicate and sort the affected_versions unique_affected_dict = {av.sort_key(): av for av in affected_versions} diff --git a/osv/sources.py b/osv/sources.py index f6fe6e98156..8dde830fac1 100644 --- a/osv/sources.py +++ b/osv/sources.py @@ -90,7 +90,7 @@ def remove_implicit_resolver(cls, tag_to_remove): NoDatesSafeLoader.remove_implicit_resolver('tag:yaml.org,2002:timestamp') -def _parse_vulnerability_dict(path): +def _parse_vulnerability_dict(path: str) -> dict: """Parse a vulnerability file into a dict.""" with open(path) as f: ext = os.path.splitext(path)[1] @@ -106,7 +106,7 @@ def _parse_vulnerability_dict(path): @cache.cached(shared_cache) -def load_schema(): +def load_schema() -> dict: path = os.path.join( os.path.dirname(os.path.abspath(__file__)), 'osv-schema', 'validation', 'schema.json') @@ -115,13 +115,18 @@ def load_schema(): return json.loads(text) -def parse_vulnerability(path, key_path=None, strict=False): +def parse_vulnerability(path: str, + key_path=None, + strict=False) -> vulnerability_pb2.Vulnerability: """Parse vulnerability YAML/JSON.""" data = _parse_vulnerability_dict(path) return parse_vulnerability_from_dict(data, key_path, strict) -def _parse_vulnerabilities(data, key_path, strict=False): +def _parse_vulnerabilities( + data: dict | list[dict], + key_path, + strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse multiple vulnerabilities.""" if isinstance(data, list): return [parse_vulnerability_from_dict(v, key_path, strict) for v in data] @@ -129,16 +134,20 @@ def _parse_vulnerabilities(data, key_path, strict=False): return [parse_vulnerability_from_dict(data, key_path, strict)] -def parse_vulnerabilities(path, key_path=None, strict=False): +def parse_vulnerabilities( + path: str, + key_path=None, + strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse vulnerabilities (potentially multiple in a list).""" return _parse_vulnerabilities( _parse_vulnerability_dict(path), key_path, strict) -def parse_vulnerabilities_from_data(data_text, - extension, - key_path=None, - strict=False): +def parse_vulnerabilities_from_data( + data_text: str | bytes, + extension: str, + key_path=None, + strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse vulnerabilities from data.""" if extension in YAML_EXTENSIONS: data = yaml.load(data_text, Loader=NoDatesSafeLoader) @@ -150,7 +159,7 @@ def parse_vulnerabilities_from_data(data_text, return _parse_vulnerabilities(data, key_path, strict) -def _get_nested_vulnerability(data, key_path=None): +def _get_nested_vulnerability(data: dict, key_path=None) -> dict: """Get nested vulnerability.""" if key_path: try: @@ -162,7 +171,10 @@ def _get_nested_vulnerability(data, key_path=None): return data -def parse_vulnerability_from_dict(data, key_path=None, strict=False): +def parse_vulnerability_from_dict(data: dict, + key_path=None, + strict=False + ) -> vulnerability_pb2.Vulnerability: """Parse vulnerability from dict.""" data = _get_nested_vulnerability(data, key_path) try: @@ -195,7 +207,8 @@ class YamlDumper(yaml.SafeDumper): YamlDumper.add_representer(str, _yaml_str_representer) -def vulnerability_to_dict(vulnerability): +def vulnerability_to_dict( + vulnerability: vulnerability_pb2.Vulnerability) -> dict: """Convert Vulnerability to a dict.""" result = json_format.MessageToDict( vulnerability, preserving_proto_field_name=True) @@ -215,7 +228,7 @@ def vulnerability_to_dict(vulnerability): return result -def _write_vulnerability_dict(data, output_path, +def _write_vulnerability_dict(data: dict, output_path: str, modified_date_timestamp: float): """Write a vulnerability dict to disk.""" with open(output_path, 'w') as f: @@ -231,7 +244,7 @@ def _write_vulnerability_dict(data, output_path, def write_vulnerability(vulnerability: vulnerability_pb2.Vulnerability, - output_path, + output_path: str, key_path=None): """Update a vulnerability file on disk.""" if os.path.exists(output_path): diff --git a/tools/datafix/list_ids_for_source.py b/tools/datafix/list_ids_for_source.py index 009640b943e..eeb321b8403 100755 --- a/tools/datafix/list_ids_for_source.py +++ b/tools/datafix/list_ids_for_source.py @@ -45,25 +45,27 @@ def main() -> None: ds_client = datastore.Client(project=args.project) - query = ds_client.query(kind="Bug") - query.add_filter(filter=PropertyFilter("source", "=", args.source_id)) - query.add_filter(filter=PropertyFilter("status", "=", 1)) + query = ds_client.query(kind="Vulnerability") + query.add_filter( + filter=PropertyFilter("source_id", ">", args.source_id + ':')) + query.add_filter( + filter=PropertyFilter("source_id", "<", args.source_id + ';')) print(f"Running query {query.filters} " f"on {query.kind} (in {query.project})...") result = list(query.fetch()) - print(f"Retrieved {len(result)} bugs") + print(f"Retrieved {len(result)} vulnerabilities") - bugs = [] + vulnerabilities = [] # Chunk the results to modify in acceptibly sized batches for the API. for batch in range(0, len(result), MAX_BATCH_SIZE): - for bug in result[batch:batch + MAX_BATCH_SIZE]: - print(f"{bug['db_id']}") - bugs.append(bug['db_id']) + for vuln in result[batch:batch + MAX_BATCH_SIZE]: + print(f"{vuln.key.name}") + vulnerabilities.append(vuln.key.name) if args.txt: - with open('bug_ids.txt', 'w') as f: - for bug in bugs: - f.write(f'{bug}\n') + with open('vuln_ids.txt', 'w') as f: + for vuln in vulnerabilities: + f.write(f'{vuln}\n') if __name__ == "__main__": diff --git a/tools/datafix/old/README.md b/tools/datafix/old/README.md new file mode 100644 index 00000000000..2939ad91fc6 --- /dev/null +++ b/tools/datafix/old/README.md @@ -0,0 +1,5 @@ +The scripts in this folder all operate on the old Bug data model. + +OSV.dev has moved away from using Bugs as the source of truth for vulnerabilities, so these scripts are no longer useful, or will need to be rewritten. + +They are retained for historical/documentational purposes. diff --git a/tools/datafix/delete_bugs.py b/tools/datafix/old/delete_bugs.py similarity index 100% rename from tools/datafix/delete_bugs.py rename to tools/datafix/old/delete_bugs.py diff --git a/tools/datafix/delete_invalid.py b/tools/datafix/old/delete_invalid.py similarity index 100% rename from tools/datafix/delete_invalid.py rename to tools/datafix/old/delete_invalid.py diff --git a/tools/datafix/reput_all.py b/tools/datafix/old/reput_all.py similarity index 100% rename from tools/datafix/reput_all.py rename to tools/datafix/old/reput_all.py diff --git a/tools/datafix/reput_bugs.py b/tools/datafix/old/reput_bugs.py similarity index 100% rename from tools/datafix/reput_bugs.py rename to tools/datafix/old/reput_bugs.py diff --git a/tools/datafix/reput_helper.py b/tools/datafix/old/reput_helper.py similarity index 100% rename from tools/datafix/reput_helper.py rename to tools/datafix/old/reput_helper.py diff --git a/tools/datafix/withdraw_invalid.py b/tools/datafix/old/withdraw_invalid.py similarity index 100% rename from tools/datafix/withdraw_invalid.py rename to tools/datafix/old/withdraw_invalid.py diff --git a/tools/datafix/reimport_gcs_record.py b/tools/datafix/reimport_gcs_record.py index 41270fc23d7..a53e5abdbd0 100755 --- a/tools/datafix/reimport_gcs_record.py +++ b/tools/datafix/reimport_gcs_record.py @@ -6,9 +6,9 @@ * the creation time of the GCS object is newer than the last_update_date for the data source in SourceRepository in Cloud Datastore * either of: - * the vulnerability does not exist in Bug in Cloud Datastore at all, or - * the Modified field of the record differs from the existing Bug's - import_last_modified in Cloud Datastore. + * the vulnerability does not exist in Vulnerability in Datastore at all, or + * the Modified field of the record differs from the existing Vulnerability's + modified_raw in Cloud Datastore. This defaults to running in dry-run mode against the staging instance. It supports an arbitrary number of vulnerability IDs on the command line. @@ -21,6 +21,7 @@ from google.cloud.datastore.query import PropertyFilter import argparse +from datetime import datetime, timezone import os import functools @@ -31,13 +32,13 @@ class UnexpectedSituation(Exception): pass -def objname_for_bug(client: datastore.Client, bug: datastore.entity.Entity, - forced_bucket_name: str) -> dict: - """Returns the GCS object details for a given Bug. +def objname_for_vuln(client: datastore.Client, vuln: datastore.entity.Entity, + forced_bucket_name: str) -> dict: + """Returns the GCS object details for a given Vulnerability. Args: client: an initialized Cloud Datastore client. - bug: a Bug Cloud Datastore entity. + vuln: a Vulnerability Cloud Datastore entity. forced_bucket_name: bucket name (with optional colon-separated path) to forcibly use. @@ -45,7 +46,7 @@ def objname_for_bug(client: datastore.Client, bug: datastore.entity.Entity, A dict with keys for the GCS uri, the bucket name and path within the bucket. """ - source_object_path = bug["source_id"].split(":")[1] + source, _, source_object_path = vuln["source_id"].partition(":") if forced_bucket_name: (bucket, _, bucketpath) = forced_bucket_name.partition(":") @@ -61,7 +62,7 @@ def objname_for_bug(client: datastore.Client, bug: datastore.entity.Entity, os.path.join(bucketpath, os.path.basename(source_object_path)) } - bucket = bucket_for_source(client, bug["source"]) + bucket = bucket_for_source(client, source) return { "uri": "gs://" + os.path.join(bucket, source_object_path), "bucket": bucket, @@ -133,10 +134,10 @@ def main() -> None: parser = argparse.ArgumentParser( description="Trigger the reimport of individual GCS-sourced records") parser.add_argument( - "bugs", + "vulns", action="append", nargs="+", - help=f"The bug IDs to operate on ({MAX_QUERY_SIZE} at most)") + help=f"The vuln IDs to operate on ({MAX_QUERY_SIZE} at most)") parser.add_argument( "--dry-run", action=argparse.BooleanOptionalAction, @@ -170,46 +171,43 @@ def main() -> None: "for the object in GCS (e.g. `cve-osv-conversion:osv-output`)")) args = parser.parse_args() - if len(args.bugs[0]) > MAX_QUERY_SIZE: - parser.error(f"Only {MAX_QUERY_SIZE} bugs can be supplied. " + if len(args.vulns[0]) > MAX_QUERY_SIZE: + parser.error(f"Only {MAX_QUERY_SIZE} vulns can be supplied. " f"Try running with xargs -n {MAX_QUERY_SIZE}") ds_client = datastore.Client(project=args.project) url_base = url_for_project(args.project) - query = ds_client.query(kind="Bug") - query.add_filter(filter=PropertyFilter("db_id", "IN", args.bugs[0])) - print(f"Running query {query.filters[0]} " - f"on {query.kind} (in {query.project})...") - result = list(query.fetch()) - print(f"Retrieved {len(result)} bugs to validate for operating on") - result_to_fix = [r for r in result if r['source_of_truth'] == 2] - print(f"There are {len(result_to_fix)} bugs to operate on...") + print("Running fetch") + result = ds_client.get_multi( + [ds_client.key('Vulnerability', vuln_id) for vuln_id in args.vulns[0]]) + print(f"Retrieved {len(result)} vulns to operate on...") try: with ds_client.transaction() as xact: - for bug in result_to_fix: + for vuln in result: try: - bug_in_gcs = objname_for_bug( - ds_client, bug, forced_bucket_name=args.bucket) + vuln_in_gcs = objname_for_vuln( + ds_client, vuln, forced_bucket_name=args.bucket) except UnexpectedSituation as e: if args.verbose: - print(f"Skipping {bug['db_id']}, got {e}\n") + print(f"Skipping {vuln.key.name}, got {e}\n") continue if args.verbose: - print(f"Resetting modification time for {bug_in_gcs['uri']}") + print(f"Resetting modification time for {vuln_in_gcs['uri']}") if not args.dryrun: try: - reset_object_modification(bug_in_gcs["bucket"], bug_in_gcs["path"]) + reset_object_modification(vuln_in_gcs["bucket"], + vuln_in_gcs["path"]) except NotFound as e: if args.verbose: print(f"Skipping, got {e}\n") continue - bug["import_last_modified"] = None + vuln["modified_raw"] = datetime.fromtimestamp(0, timezone.utc) if args.verbose: - print(f"Resetting import_last_modified for {bug['db_id']}") - print(f"Review at {url_base}{bug['db_id']} when reimport completes.") - xact.put(bug) + print(f"Resetting modified_raw for {vuln.key.name}") + print(f"Review at {url_base}{vuln.key.name} when reimport completes.") + xact.put(vuln) if args.dryrun: raise Exception("Dry run mode. Preventing transaction from commiting") # pylint: disable=broad-exception-raised except Exception as e: diff --git a/tools/datafix/request_worker_update_record.py b/tools/datafix/request_worker_update_record.py index 967847d00e8..b469331b4c1 100755 --- a/tools/datafix/request_worker_update_record.py +++ b/tools/datafix/request_worker_update_record.py @@ -79,7 +79,7 @@ def request_url_update(record_url, project_id, source, path, timeout, if not allow_delete or e.response.status_code != 404: print(e) return - print(f'Bug was deleted: {record_url}') + print(f'Vulnerability was deleted: {record_url}') deleted = True publish_update_message(project_id, PUBSUB_TOPIC_ID, source, path, @@ -101,12 +101,12 @@ def main(): "--allow-delete", action="store_true", default=False, - help="Delete bugs if not found in source (GIT only)") + help="Delete vulns if not found in source (GIT only)") parser.add_argument( - "bugs", + "vulns", action="append", nargs="*", - help="The bug IDs to operate on. If not specified, all bugs from the " + help="The vuln IDs to operate on. If not specified, all vulns from the " "source will be processed.") args = parser.parse_args() @@ -118,32 +118,34 @@ def main(): if not source_repo: raise ValueError(f"Source repository '{args.source}' not found.") - bugs_to_process = [] - if args.bugs and args.bugs[0]: - bugs_to_process = args.bugs[0] + vulns_to_process = [] + if args.vulns and args.vulns[0]: + vulns_to_process = args.vulns[0] else: - print( - f'No bug IDs provided. Querying all bugs for source {args.source}...') - query = osv.Bug.query(osv.Bug.source == args.source) - bugs_to_process = [b.id() for b in query.iter(keys_only=True)] - print(f'Found {len(bugs_to_process)} bugs to update.') + print('No vuln IDs provided. ' + 'Querying all vulns for source {args.source}...') + query = osv.Vulnerability.query( + osv.Vulnerability.source_id > args.source + ':', + osv.Vulnerability.source_id < (args.source + ';')) + vulns_to_process = [b.id() for b in query.iter(keys_only=True)] + print(f'Found {len(vulns_to_process)} bugs to update.') confirm = input('Are you sure you want to proceed? (y/N) ') if confirm.lower() not in ('y', 'yes'): print('Aborting.') return if source_repo.type == osv.SourceRepositoryType.REST_ENDPOINT: - for bug in bugs_to_process: - record_url = f'{source_repo.link}{bug}{source_repo.extension}' - path = f'{bug}{source_repo.extension}' + for vuln in vulns_to_process: + record_url = f'{source_repo.link}{vuln}{source_repo.extension}' + path = f'{vuln}{source_repo.extension}' request_url_update(record_url, args.project_id, args.source, path, args.timeout, False) if source_repo.type == osv.SourceRepositoryType.GIT: - for bug in bugs_to_process: - entity = osv.Bug.get_by_id(bug) + for vuln in vulns_to_process: + entity = osv.Vulnerability.get_by_id(vuln) if not entity: - print(f'Warning: {bug} does not exist in Datastore, skipping.') + print(f'Warning: {vuln} does not exist in Datastore, skipping.') continue path = entity.source_id.split(':')[1]