From c0be2015ca2f39d3e4dd8c50bc97cba2c9c179ee Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Thu, 22 Jan 2026 14:26:57 +1100 Subject: [PATCH 1/6] de-bugging --- gcp/workers/mock_test/rest_test.json | 254 - gcp/workers/oss_fuzz_worker/testdata | 1 - .../testdata/CVE-2022-27449.json | 138 + .../oss_fuzz_worker/testdata/DSA-3029-1.json | 37 + .../testdata/GHSA-838r-hvwh-24h8.json | 61 + .../oss_fuzz_worker/testdata/GSD-123.yaml | 19 + .../testdata/ImpactTest_basic.txt | 64 + .../ImpactTest_fixed_range_too_long.txt | 62 + .../testdata/ImpactTest_not_fixed.txt | 62 + .../testdata/ImpactTest_range.txt | 62 + .../testdata/ImpactTest_simplify_range.txt | 64 + .../ImpactTest_zero_regression_range.txt | 60 + .../testdata/LINUX-123.yaml | 0 .../oss_fuzz_worker/testdata/OSV-123.yaml | 30 + .../oss_fuzz_worker/testdata/OSV-124.yaml | 20 + .../oss_fuzz_worker/testdata/OSV-125.yaml | 28 + .../oss_fuzz_worker/testdata/OSV-126.yaml | 21 + .../oss_fuzz_worker/testdata/OSV-127.yaml | 21 + .../oss_fuzz_worker/testdata/OSV-128.yaml | 25 + .../oss_fuzz_worker/testdata/OSV-129.yaml | 21 + .../oss_fuzz_worker/testdata/OSV-130.yaml | 35 + .../oss_fuzz_worker/testdata/OSV-131.yaml | 21 + .../testdata/OSV-TEST-last-affected-01.yaml | 16 + .../oss_fuzz_worker/testdata/PYSEC-123.yaml | 23 + .../oss_fuzz_worker/testdata/PYSEC-124.yaml | 18 + .../oss_fuzz_worker/testdata/PYSEC-456.yaml | 23 + .../RESTUpdateTest_update_no_introduced.txt | 427 ++ .../testdata/UBUNTU-CVE-2025-38094.json | 262 + .../UpdateTest_analysis_crash_handling.txt | 170 + .../testdata/UpdateTest_diff_alpine.txt | 616 ++ .../testdata/UpdateTest_diff_debian.txt | 64 + .../UpdateTest_diff_last_affected.txt | 78 + .../UpdateTest_diff_last_affected_git.txt | 35 + .../testdata/UpdateTest_diff_maven.txt | 110 + .../UpdateTest_diff_normalized_pypi.txt | 29 + .../testdata/UpdateTest_diff_pypi.txt | 85 + .../testdata/UpdateTest_diff_update.txt | 61 + .../UpdateTest_diff_update_add_fix.txt | 43 + .../testdata/UpdateTest_diff_update_limit.txt | 55 + .../UpdateTest_diff_update_no_introduced.txt | 45 + ...eTest_dont_index_too_many_git_versions.txt | 5067 +++++++++++++++++ .../testdata/UpdateTest_last_affected_git.txt | 66 + .../testdata/UpdateTest_normalized_pypi.txt | 63 + ...pdateTest_normalized_pypi_pubsub_calls.txt | 1 + .../testdata/UpdateTest_pypi_pubsub_calls.txt | 1 + .../UpdateTest_ubuntu_severity_type.txt | 437 ++ .../testdata/UpdateTest_update.txt | 70 + .../testdata/UpdateTest_update_add_fix.txt | 67 + .../testdata/UpdateTest_update_alpine.txt | 689 +++ .../UpdateTest_update_bad_ecosystem_new.txt | 7 + .../testdata/UpdateTest_update_bucket_0.txt | 104 + .../testdata/UpdateTest_update_bucket_1.txt | 50 + .../testdata/UpdateTest_update_bucket_2.txt | 63 + .../testdata/UpdateTest_update_bucket_cve.txt | 152 + .../testdata/UpdateTest_update_debian.txt | 95 + .../UpdateTest_update_last_affected.txt | 129 + .../testdata/UpdateTest_update_limit.txt | 79 + .../testdata/UpdateTest_update_linux.txt | 52 + .../testdata/UpdateTest_update_maven.txt | 100 + .../testdata/UpdateTest_update_new.txt | 67 + .../UpdateTest_update_no_introduced.txt | 67 + ...est_update_partly_bad_ecosystem_delete.txt | 7 + ...teTest_update_partly_bad_ecosystem_new.txt | 65 + .../testdata/UpdateTest_update_pypi.txt | 143 + gcp/workers/worker/testdata/GSD-123.yaml | 19 + .../RESTUpdateTest_update_no_introduced.txt | 592 +- .../testdata/UpdateTest_last_affected_git.txt | 76 +- .../testdata/UpdateTest_normalized_pypi.txt | 78 +- ...pdateTest_normalized_pypi_pubsub_calls.txt | 2 +- .../testdata/UpdateTest_pypi_pubsub_calls.txt | 2 +- .../UpdateTest_ubuntu_severity_type.txt | 640 +-- .../worker/testdata/UpdateTest_update.txt | 89 +- .../testdata/UpdateTest_update_alpine.txt | 1195 ++-- .../UpdateTest_update_bad_ecosystem_new.txt | 7 + .../testdata/UpdateTest_update_bucket_0.txt | 131 +- .../testdata/UpdateTest_update_bucket_2.txt | 76 +- .../testdata/UpdateTest_update_bucket_cve.txt | 242 +- .../testdata/UpdateTest_update_debian.txt | 83 +- .../UpdateTest_update_last_affected.txt | 182 +- .../testdata/UpdateTest_update_limit.txt | 103 +- .../testdata/UpdateTest_update_linux.txt | 62 +- .../testdata/UpdateTest_update_maven.txt | 114 +- .../worker/testdata/UpdateTest_update_new.txt | 84 +- .../UpdateTest_update_no_introduced.txt | 84 +- ...est_update_partly_bad_ecosystem_delete.txt | 7 + ...teTest_update_partly_bad_ecosystem_new.txt | 81 +- .../testdata/UpdateTest_update_pypi.txt | 199 +- gcp/workers/worker/worker.py | 301 +- gcp/workers/worker/worker_test.py | 1057 +--- osv/models.py | 78 +- osv/sources.py | 26 +- 91 files changed, 12383 insertions(+), 4134 deletions(-) delete mode 120000 gcp/workers/oss_fuzz_worker/testdata create mode 100644 gcp/workers/oss_fuzz_worker/testdata/CVE-2022-27449.json create mode 100644 gcp/workers/oss_fuzz_worker/testdata/DSA-3029-1.json create mode 100644 gcp/workers/oss_fuzz_worker/testdata/GHSA-838r-hvwh-24h8.json create mode 100644 gcp/workers/oss_fuzz_worker/testdata/GSD-123.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/ImpactTest_basic.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/ImpactTest_fixed_range_too_long.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/ImpactTest_not_fixed.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/ImpactTest_range.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/ImpactTest_simplify_range.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/ImpactTest_zero_regression_range.txt rename gcp/workers/{worker => oss_fuzz_worker}/testdata/LINUX-123.yaml (100%) create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-123.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-124.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-125.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-126.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-127.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-128.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-129.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-130.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-131.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/OSV-TEST-last-affected-01.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/PYSEC-123.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/PYSEC-124.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/PYSEC-456.yaml create mode 100644 gcp/workers/oss_fuzz_worker/testdata/RESTUpdateTest_update_no_introduced.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UBUNTU-CVE-2025-38094.json create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_analysis_crash_handling.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_alpine.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_debian.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected_git.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_maven.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_normalized_pypi.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_pypi.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_add_fix.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_limit.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_no_introduced.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_dont_index_too_many_git_versions.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_last_affected_git.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_pypi_pubsub_calls.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_ubuntu_severity_type.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_add_fix.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_alpine.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bad_ecosystem_new.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_0.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_1.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_2.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_cve.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_debian.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_last_affected.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_limit.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_linux.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_maven.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_new.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_no_introduced.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt create mode 100644 gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_pypi.txt create mode 100644 gcp/workers/worker/testdata/GSD-123.yaml create mode 100644 gcp/workers/worker/testdata/UpdateTest_update_bad_ecosystem_new.txt create mode 100644 gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt diff --git a/gcp/workers/mock_test/rest_test.json b/gcp/workers/mock_test/rest_test.json index ed751f8290e..a01a19febbd 100644 --- a/gcp/workers/mock_test/rest_test.json +++ b/gcp/workers/mock_test/rest_test.json @@ -3384,259 +3384,5 @@ } ], "details": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback\n(`CURLOPT_READFUNCTION`) to ask for data to send, even when the\n`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was\nused to issue a `PUT` request which used that callback.\n\nThis flaw may surprise the application and cause it to misbehave and either\nsend off the wrong data or use memory after free or similar in the subsequent\n`POST` request.\n\nThe problem exists in the logic for a reused handle when it is changed from a\nPUT to a POST." - }, -{ - "schema_version": "1.6.7", - "id": "RHSA-2018:3140", - "related": [ - "CVE-2015-9381", - "CVE-2015-9382", - "CVE-2017-2862", - "CVE-2017-18267", - "CVE-2018-4121", - "CVE-2018-4200", - "CVE-2018-4204", - "CVE-2018-10733", - "CVE-2018-10767", - "CVE-2018-10768", - "CVE-2018-11712", - "CVE-2018-11713", - "CVE-2018-12910", - "CVE-2018-13988", - "CVE-2018-14036" - ], - "published": "2024-09-16T01:35:05Z", - "modified": "2024-09-16T01:35:05Z", - "summary": "Red Hat Security Advisory: GNOME security, bug fix, and enhancement update", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "affected": [ - { - "package": { - "name": "PackageKit", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-command-not-found", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-command-not-found" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-cron", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-cron" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-debuginfo", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-debuginfo" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-glib", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-glib" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-glib-devel", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-glib-devel" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-gstreamer-plugin", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-gstreamer-plugin" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-gtk3-module", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-gtk3-module" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-yum", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-yum" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - }, - { - "package": { - "name": "PackageKit-yum-plugin", - "ecosystem": "Red Hat:enterprise_linux:7::client", - "purl": "pkg:rpm/redhat/PackageKit-yum-plugin" - }, - "ranges": [ - { - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:1.1.10-1.el7" - } - ], - "type": "ECOSYSTEM" - } - ] - } - ], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13988" - }, - { - "type": "REPORT", - "url": "https://access.redhat.com/security/cve/CVE-2018-14036" - }, - { - "type": "REPORT", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601019" - }, - { - "type": "ADVISORY", - "url": "https://www.cve.org/CVERecord?id=CVE-2018-14036" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14036" } - ] -} ] diff --git a/gcp/workers/oss_fuzz_worker/testdata b/gcp/workers/oss_fuzz_worker/testdata deleted file mode 120000 index ded9b9ecca7..00000000000 --- a/gcp/workers/oss_fuzz_worker/testdata +++ /dev/null @@ -1 +0,0 @@ -../worker/testdata/ \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/CVE-2022-27449.json b/gcp/workers/oss_fuzz_worker/testdata/CVE-2022-27449.json new file mode 100644 index 00000000000..3fc80cd9564 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/CVE-2022-27449.json @@ -0,0 +1,138 @@ +{ + "id": "CVE-2022-27449", + "details": "MariaDB Server v10.9 and below was discovered to contain a segmentation fault via the component sql/item_func.cc:148.", + "affected": [ + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.12", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.4.25-r0" + } + ] + } + ] + }, + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.13", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.5.16-r0" + } + ] + } + ] + }, + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.14", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.5.16-r0" + } + ] + } + ] + }, + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.15", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.6.8-r0" + } + ] + } + ] + }, + { + "package": { + "name": "mariadb", + "ecosystem": "Alpine:v3.16", + "purl": "pkg:alpine/mariadb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "10.6.8-r0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "EVIDENCE", + "url": "https://jira.mariadb.org/browse/MDEV-28089" + }, + { + "type": "REPORT", + "url": "https://jira.mariadb.org/browse/MDEV-28089" + }, + { + "type": "FIX", + "url": "https://jira.mariadb.org/browse/MDEV-28089" + }, + { + "type": "WEB", + "url": "https://jira.mariadb.org/browse/MDEV-28089" + }, + { + "type": "ADVISORY", + "url": "https://security.netapp.com/advisory/ntap-20220526-0006/" + }, + { + "type": "ARTICLE", + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html" + } + ], + "modified": "2022-10-07T18:59:00Z", + "published": "2022-04-14T13:15:00Z" +} diff --git a/gcp/workers/oss_fuzz_worker/testdata/DSA-3029-1.json b/gcp/workers/oss_fuzz_worker/testdata/DSA-3029-1.json new file mode 100644 index 00000000000..1b732107b57 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/DSA-3029-1.json @@ -0,0 +1,37 @@ +{ + "id": "DSA-3029-1", + "summary": "nginx - security update", + "affected": [ + { + "package": { + "ecosystem": "Debian:7", + "name": "nginx" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.2.1-2.2+wheezy3" + } + ] + } + ] + } + ], + "aliases": [ + "CVE-2014-3616" + ], + "published": "2014-09-20T00:00:00Z", + "modified": "2014-09-20T08:18:07Z", + "details": "\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was\npossible to reuse cached SSL sessions in unrelated contexts, allowing\nvirtual host confusion attacks in some configurations by an attacker in\na privileged network position.\n\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.2.1-2.2+wheezy3.\n\n\nFor the testing distribution (jessie), this problem has been fixed in\nversion 1.6.2-1.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.6.2-1.\n\n\nWe recommend that you upgrade your nginx packages.\n\n\n", + "references": [ + { + "type": "ADVISORY", + "url": "https://www.debian.org/security/2014/dsa-3029" + } + ] +} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/GHSA-838r-hvwh-24h8.json b/gcp/workers/oss_fuzz_worker/testdata/GHSA-838r-hvwh-24h8.json new file mode 100644 index 00000000000..13e8570e573 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/GHSA-838r-hvwh-24h8.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-838r-hvwh-24h8", + "modified": "2021-09-24T13:10:05Z", + "published": "2021-09-13T20:06:31Z", + "aliases": [ + "CVE-2021-38555" + ], + "summary": "XML Injection in Any23", + "details": "An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.any23:apache-any23" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38555" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/any23" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-611" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2021-09-13T19:31:01Z", + "nvd_published_at": "2021-09-11T11:15:00Z" + } +} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/GSD-123.yaml b/gcp/workers/oss_fuzz_worker/testdata/GSD-123.yaml new file mode 100644 index 00000000000..ae7ed14ddec --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/GSD-123.yaml @@ -0,0 +1,19 @@ +id: GSD-123 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: Kernel + ecosystem: Linux + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_basic.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_basic.txt new file mode 100644 index 00000000000..709e2d6633b --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_basic.txt @@ -0,0 +1,64 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_fixed_range_too_long.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_fixed_range_too_long.txt new file mode 100644 index 00000000000..c6d4f3f9a6b --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_fixed_range_too_long.txt @@ -0,0 +1,62 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '0-2', '1'], + 'affected_packages': [ { 'database_specific': { 'fixed_range': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd:b587c21c36a84e16cfc6b39eb68578d43b5281ad'}, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': 'b587c21c36a84e16cfc6b39eb68578d43b5281ad'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch-v0.1.1-with-fix', + 'branch_1_cherrypick_regress', + 'v0.1.1', + 'v0.2']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd:b587c21c36a84e16cfc6b39eb68578d43b5281ad', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_not_fixed.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_not_fixed.txt new file mode 100644 index 00000000000..e40014229ae --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_not_fixed.txt @@ -0,0 +1,62 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '0-2', '1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch-v0.1.1-with-fix', + 'branch_1_cherrypick_regress', + 'v0.1.1', + 'v0.2']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': False, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_range.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_range.txt new file mode 100644 index 00000000000..301b29f89b8 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_range.txt @@ -0,0 +1,62 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '0-2', '1'], + 'affected_packages': [ { 'database_specific': { 'fixed_range': 'b1c95a196f22d06fcf80df8c6691cd113d8fefff:36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2'}, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch-v0.1.1-with-fix', + 'branch_1_cherrypick_regress', + 'v0.1.1', + 'v0.2']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': 'b1c95a196f22d06fcf80df8c6691cd113d8fefff:36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_simplify_range.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_simplify_range.txt new file mode 100644 index 00000000000..709e2d6633b --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_simplify_range.txt @@ -0,0 +1,64 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_zero_regression_range.txt b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_zero_regression_range.txt new file mode 100644 index 00000000000..a81cf737422 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/ImpactTest_zero_regression_range.txt @@ -0,0 +1,60 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '1'], + 'affected_packages': [ { 'database_specific': { 'introduced_range': 'unknown:eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + 'ecosystem_specific': {'severity': 'MEDIUM'}, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'project', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://repo.com/repo', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-2020-1337', + 'details': 'DETAILS', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', + 'has_affected': True, + 'import_last_modified': None, + 'is_fixed': True, + 'issue_id': '9001', + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['project'], + 'public': False, + 'purl': [], + 'reference_url_types': {'https://url/': 'WEB'}, + 'regressed': 'unknown:eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '1337', + '2020', + '2020-1337', + 'ecosystem', + 'git', + 'https://repo.com/repo', + 'osv', + 'osv-2020', + 'osv-2020-1337', + 'project', + 'repo', + 'repo.com/repo'], + 'search_tags': ['osv-2020-1337', 'project'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'oss-fuzz', + 'source_id': 'oss-fuzz:123', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'Heap-buffer-overflow in Foo', + 'timestamp': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/LINUX-123.yaml b/gcp/workers/oss_fuzz_worker/testdata/LINUX-123.yaml similarity index 100% rename from gcp/workers/worker/testdata/LINUX-123.yaml rename to gcp/workers/oss_fuzz_worker/testdata/LINUX-123.yaml diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-123.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-123.yaml new file mode 100644 index 00000000000..0d93ff864ce --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-123.yaml @@ -0,0 +1,30 @@ +id: OSV-123 +summary: A vulnerability +details: | + Blah blah blah + Blah +severity: +- type: CVSS_V3 + score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L +credits: +- name: Foo bar + contact: + - mailto:foo@bar.com +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: blah.com/package + ecosystem: Go + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +database_specific: + specific: 1337 +modified: '2020-01-01T00:00:00Z' \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-124.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-124.yaml new file mode 100644 index 00000000000..4d2eedef66a --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-124.yaml @@ -0,0 +1,20 @@ +id: OSV-124 +summary: A vulnerability +details: | + Blah blah blah + Blah +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: blah.com/package + ecosystem: Go + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + versions: + - branch-v0.1.1 +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-125.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-125.yaml new file mode 100644 index 00000000000..1d10d5409df --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-125.yaml @@ -0,0 +1,28 @@ +id: OSV-125 +summary: A vulnerability +details: | + Blah blah blah + Blah +severity: +- type: CVSS_V3 + score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L +affected: +- package: + name: blah.com/package + ecosystem: Go + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + - fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98 + - introduced: febfac1940086bc1f6d3dc33fda0a1d1ba336209 + versions: + - branch-v0.1.1 + - branch_1_cherrypick_regress + - v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-126.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-126.yaml new file mode 100644 index 00000000000..a8ae7ed1e32 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-126.yaml @@ -0,0 +1,21 @@ +id: OSV-126 +summary: A vulnerability +details: | + Blah blah blah + Blah +affected: +- package: + name: blah.com/package + ecosystem: Go + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-127.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-127.yaml new file mode 100644 index 00000000000..a1a76f16f4f --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-127.yaml @@ -0,0 +1,21 @@ +id: OSV-127 +summary: A vulnerability +details: | + Blah blah blah + Blah +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: blah.com/package + ecosystem: Go + versions: + - branch-v0.1.1 + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: '0' + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-128.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-128.yaml new file mode 100644 index 00000000000..9b928c1f457 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-128.yaml @@ -0,0 +1,25 @@ +id: OSV-128 +summary: A vulnerability +details: | + Blah blah blah + Blah +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: grpcio + ecosystem: PyPI + versions: + - branch-v0.1.1 + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: '0' + - limit: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + - type: ECOSYSTEM + events: + - introduced: 1.13.0 + - limit: 1.14.2 +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-129.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-129.yaml new file mode 100644 index 00000000000..d9eb33d1c97 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-129.yaml @@ -0,0 +1,21 @@ +id: OSV-129 +summary: A vulnerability +details: | + Blah blah blah + Blah +affected: +- package: + name: blah.com/package + ecosystem: not a supported ecosystem + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-130.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-130.yaml new file mode 100644 index 00000000000..d2d319bf552 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-130.yaml @@ -0,0 +1,35 @@ +id: OSV-130 +summary: A vulnerability +details: | + Blah blah blah + Blah +affected: +- package: + name: blah.com/package + ecosystem: ecosystem + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +- package: + name: blah.com/package + ecosystem: not a supported ecosystem + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-131.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-131.yaml new file mode 100644 index 00000000000..d62b1b10840 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-131.yaml @@ -0,0 +1,21 @@ +id: OSV-131 +summary: A vulnerability +details: | + Blah blah blah + Blah +affected: +- package: + name: blah.com/package + ecosystem: not a supported ecosystem + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 + versions: + - branch-v0.1.1 +references: +- type: WEB + url: https://ref.com/ref +modified: '2020-01-01T00:00:00Z' diff --git a/gcp/workers/oss_fuzz_worker/testdata/OSV-TEST-last-affected-01.yaml b/gcp/workers/oss_fuzz_worker/testdata/OSV-TEST-last-affected-01.yaml new file mode 100644 index 00000000000..86e69d4f5d0 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/OSV-TEST-last-affected-01.yaml @@ -0,0 +1,16 @@ +id: OSV-TEST-last-affected-01 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - last_affected: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/oss_fuzz_worker/testdata/PYSEC-123.yaml b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-123.yaml new file mode 100644 index 00000000000..40653cf838c --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-123.yaml @@ -0,0 +1,23 @@ +id: PYSEC-123 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: grpcio + ecosystem: PyPI + ranges: + - type: ECOSYSTEM + events: + - introduced: 1.14.2 + - fixed: 1.31.0 + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/oss_fuzz_worker/testdata/PYSEC-124.yaml b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-124.yaml new file mode 100644 index 00000000000..5fc3c832257 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-124.yaml @@ -0,0 +1,18 @@ +id: PYSEC-124 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: grpcio + ecosystem: PyPI + ranges: + - type: ECOSYSTEM + events: + - introduced: 1.14.2 + - last_affected: 1.31.0 diff --git a/gcp/workers/oss_fuzz_worker/testdata/PYSEC-456.yaml b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-456.yaml new file mode 100644 index 00000000000..008c694bf41 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/PYSEC-456.yaml @@ -0,0 +1,23 @@ +id: PYSEC-456 +summary: A vulnerability in an unnormalized package +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: Scrapy + ecosystem: PyPI + ranges: + - type: ECOSYSTEM + events: + - introduced: 1.14.2 + - fixed: 1.31.0 + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/oss_fuzz_worker/testdata/RESTUpdateTest_update_no_introduced.txt b/gcp/workers/oss_fuzz_worker/testdata/RESTUpdateTest_update_no_introduced.txt new file mode 100644 index 00000000000..2c52b812385 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/RESTUpdateTest_update_no_introduced.txt @@ -0,0 +1,427 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '7-10', + '7-10-1', + '7-10-2', + '7-10-3', + '7-10-4', + '7-10-5', + '7-10-6', + '7-10-7', + '7-10-8', + '7-11-0', + '7-11-1', + '7-11-2', + '7-12-0', + '7-12-1', + '7-12-2', + '7-12-3', + '7-13-0', + '7-13-1', + '7-13-2', + '7-14-0', + '7-14-1', + '7-15-0', + '7-15-1', + '7-15-2', + '7-15-3', + '7-15-4', + '7-15-5', + '7-16-0', + '7-16-1', + '7-16-2', + '7-16-3', + '7-16-4', + '7-17-0', + '7-17-1', + '7-18-0', + '7-18-1', + '7-18-2', + '7-19-0', + '7-19-1', + '7-19-2', + '7-19-3', + '7-19-4', + '7-19-5', + '7-19-6', + '7-19-7', + '7-20-0', + '7-20-1', + '7-21-0', + '7-21-1', + '7-21-2', + '7-21-3', + '7-21-4', + '7-21-5', + '7-21-6', + '7-21-7', + '7-22-0', + '7-23-0', + '7-23-1', + '7-24-0', + '7-25-0', + '7-26-0', + '7-27-0', + '7-28-0', + '7-28-1', + '7-29-0', + '7-30-0', + '7-31-0', + '7-32-0', + '7-33-0', + '7-34-0', + '7-35-0', + '7-36-0', + '7-37-0', + '7-37-1', + '7-38-0', + '7-39-0', + '7-40-0', + '7-41-0', + '7-42-0', + '7-42-1', + '7-43-0', + '7-44-0', + '7-45-0', + '7-46-0', + '7-47-0', + '7-47-1', + '7-48-0', + '7-49-0', + '7-49-1', + '7-50-0', + '7-50-1', + '7-50-2', + '7-50-3', + '7-51-0', + '7-52-0', + '7-52-1', + '7-53-0', + '7-53-1', + '7-54-0', + '7-54-1', + '7-55-0', + '7-55-1', + '7-56-0', + '7-56-1', + '7-57-0', + '7-58-0', + '7-59-0', + '7-60-0', + '7-61-0', + '7-61-1', + '7-62-0', + '7-63-0', + '7-64-0', + '7-64-1', + '7-65-0', + '7-65-1', + '7-65-2', + '7-65-3', + '7-66-0', + '7-67-0', + '7-68-0', + '7-69-0', + '7-69-1', + '7-7', + '7-7-1', + '7-7-2', + '7-7-3', + '7-70-0', + '7-71-0', + '7-71-1', + '7-72-0', + '7-73-0', + '7-74-0', + '7-75-0', + '7-76-0', + '7-76-1', + '7-77-0', + '7-78-0', + '7-79-0', + '7-79-1', + '7-8', + '7-8-1', + '7-80-0', + '7-81-0', + '7-82-0', + '7-83-0', + '7-83-1', + '7-84-0', + '7-85-0', + '7-9', + '7-9-1', + '7-9-2', + '7-9-3', + '7-9-4', + '7-9-5', + '7-9-6', + '7-9-7', + '7-9-8'], + 'affected_packages': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'function_hash': '22968065415160735040135778472335782425', + 'length': 58084.0}, + 'id': 'CURL-CVE-2022-32221-9751f04c', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', + 'target': { 'file': 'lib/setopt.c', + 'function': 'Curl_vsetopt'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '73596727404438881622769716353410783065', + '150108665408450698810391826671290668314', + '264542534956227828232279400943172691231', + '248438938282829223471764231064667949049'], + 'threshold': 0.9}, + 'id': 'CURL-CVE-2022-32221-b7951194', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', + 'target': { 'file': 'lib/setopt.c'}}]}, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '7.7'}, + { 'type': 'fixed', + 'value': '7.86.0'}], + 'repo_url': '', + 'type': 'SEMVER'}, + { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '546572da0457f37c698c02d0a08d90fdfcbeedec'}, + { 'type': 'fixed', + 'value': 'a64e3e59938abd7d667e4470a18072a24d7e9de9'}], + 'repo_url': 'https://github.com/curl/curl.git', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ '7.85.0', + '7.84.0', + '7.83.1', + '7.83.0', + '7.82.0', + '7.81.0', + '7.80.0', + '7.79.1', + '7.79.0', + '7.78.0', + '7.77.0', + '7.76.1', + '7.76.0', + '7.75.0', + '7.74.0', + '7.73.0', + '7.72.0', + '7.71.1', + '7.71.0', + '7.70.0', + '7.69.1', + '7.69.0', + '7.68.0', + '7.67.0', + '7.66.0', + '7.65.3', + '7.65.2', + '7.65.1', + '7.65.0', + '7.64.1', + '7.64.0', + '7.63.0', + '7.62.0', + '7.61.1', + '7.61.0', + '7.60.0', + '7.59.0', + '7.58.0', + '7.57.0', + '7.56.1', + '7.56.0', + '7.55.1', + '7.55.0', + '7.54.1', + '7.54.0', + '7.53.1', + '7.53.0', + '7.52.1', + '7.52.0', + '7.51.0', + '7.50.3', + '7.50.2', + '7.50.1', + '7.50.0', + '7.49.1', + '7.49.0', + '7.48.0', + '7.47.1', + '7.47.0', + '7.46.0', + '7.45.0', + '7.44.0', + '7.43.0', + '7.42.1', + '7.42.0', + '7.41.0', + '7.40.0', + '7.39.0', + '7.38.0', + '7.37.1', + '7.37.0', + '7.36.0', + '7.35.0', + '7.34.0', + '7.33.0', + '7.32.0', + '7.31.0', + '7.30.0', + '7.29.0', + '7.28.1', + '7.28.0', + '7.27.0', + '7.26.0', + '7.25.0', + '7.24.0', + '7.23.1', + '7.23.0', + '7.22.0', + '7.21.7', + '7.21.6', + '7.21.5', + '7.21.4', + '7.21.3', + '7.21.2', + '7.21.1', + '7.21.0', + '7.20.1', + '7.20.0', + '7.19.7', + '7.19.6', + '7.19.5', + '7.19.4', + '7.19.3', + '7.19.2', + '7.19.1', + '7.19.0', + '7.18.2', + '7.18.1', + '7.18.0', + '7.17.1', + '7.17.0', + '7.16.4', + '7.16.3', + '7.16.2', + '7.16.1', + '7.16.0', + '7.15.5', + '7.15.4', + '7.15.3', + '7.15.2', + '7.15.1', + '7.15.0', + '7.14.1', + '7.14.0', + '7.13.2', + '7.13.1', + '7.13.0', + '7.12.3', + '7.12.2', + '7.12.1', + '7.12.0', + '7.11.2', + '7.11.1', + '7.11.0', + '7.10.8', + '7.10.7', + '7.10.6', + '7.10.5', + '7.10.4', + '7.10.3', + '7.10.2', + '7.10.1', + '7.10', + '7.9.8', + '7.9.7', + '7.9.6', + '7.9.5', + '7.9.4', + '7.9.3', + '7.9.2', + '7.9.1', + '7.9', + '7.8.1', + '7.8', + '7.7.3', + '7.7.2', + '7.7.1', + '7.7']}], + 'aliases': ['CVE-2022-32221'], + 'credits': [ {'contact': [], 'name': 'Robby Simpson', 'type': 'FINDER'}, + { 'contact': [], + 'name': 'Daniel Stenberg', + 'type': 'REMEDIATION_DEVELOPER'}], + 'database_specific': { 'CWE': { 'desc': 'Expected Behavior Violation', + 'id': 'CWE-440'}, + 'URL': 'https://curl.se/docs/CVE-2022-32221.json', + 'award': {'amount': '2400', 'currency': 'USD'}, + 'issue': 'https://hackerone.com/reports/1704017', + 'last_affected': '7.85.0', + 'package': 'curl', + 'severity': 'Medium', + 'www': 'https://curl.se/docs/CVE-2022-32221.html'}, + 'db_id': 'CURL-CVE-2022-32221', + 'details': 'When doing HTTP(S) transfers, libcurl might erroneously use ' + 'the read callback\n' + '(`CURLOPT_READFUNCTION`) to ask for data to send, even when ' + 'the\n' + '`CURLOPT_POSTFIELDS` option has been set, if the same handle ' + 'previously was\n' + 'used to issue a `PUT` request which used that callback.\n' + '\n' + 'This flaw may surprise the application and cause it to ' + 'misbehave and either\n' + 'send off the wrong data or use memory after free or similar in ' + 'the subsequent\n' + '`POST` request.\n' + '\n' + 'The problem exists in the logic for a reused handle when it is ' + 'changed from a\n' + 'PUT to a POST.', + 'ecosystem': ['GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2023, 5, 10, 0, 37, 6, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': [], + 'public': True, + 'purl': [], + 'reference_url_types': {}, + 'regressed': '', + 'related': [], + 'search_indices': [ '2022', + '2022-32221', + '32221', + 'curl', + 'curl-cve', + 'curl-cve-2022', + 'curl-cve-2022-32221', + 'curl.git', + 'cve', + 'cve-2022', + 'cve-2022-32221', + 'git', + 'github.com/curl/curl.git', + 'https://github.com/curl/curl.git'], + 'search_tags': ['curl-cve-2022-32221'], + 'semver_fixed_indexes': ['00000007.00000086.00000000-zzzzzzzzzzzzzzzz'], + 'severities': [], + 'source': 'source', + 'source_id': 'source:CURL-CVE-2022-32221.json', + 'source_of_truth': 1, + 'status': 1, + 'summary': 'POST following PUT confusion', + 'timestamp': DatetimeWithNanoseconds(2022, 10, 26, 8, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UBUNTU-CVE-2025-38094.json b/gcp/workers/oss_fuzz_worker/testdata/UBUNTU-CVE-2025-38094.json new file mode 100644 index 00000000000..58150ba4c32 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UBUNTU-CVE-2025-38094.json @@ -0,0 +1,262 @@ +{ + "schema_version": "1.7.3", + "id": "UBUNTU-CVE-2025-38094", + "details": "In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high as well. Because jiffies are never updated, as we are in a context with interrupts disabled, we never exit that loop and have a deadlock. That deadlock was noticed on a sama5d4 device that stayed locked for days. Use retries instead of jiffies so that the timeout really works and we do not have a deadlock anymore.", + "aliases": [], + "upstream": [ + "CVE-2025-38094" + ], + "related": [], + "severity": [ + { + "type": "Ubuntu", + "score": "medium" + } + ], + "published": "2025-07-04T00:00:00Z", + "modified": "2025-07-04T00:00:00Z", + "affected": [ + { + "package": { + "ecosystem": "Ubuntu:Pro:14.04:LTS", + "name": "linux", + "purl": "pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "versions": [ + "3.11.0-12.19", + "3.12.0-1.3", + "3.12.0-2.5", + "3.12.0-2.7", + "3.12.0-3.8", + "3.12.0-3.9", + "3.12.0-4.10", + "3.12.0-4.12", + "3.12.0-5.13", + "3.12.0-7.15", + "3.13.0-1.16", + "3.13.0-2.17", + "3.13.0-3.18", + "3.13.0-4.19", + "3.13.0-5.20", + "3.13.0-6.23", + "3.13.0-7.25", + "3.13.0-7.26", + "3.13.0-8.27", + "3.13.0-8.28", + "3.13.0-10.30", + "3.13.0-11.31", + "3.13.0-12.32", + "3.13.0-13.33", + "3.13.0-14.34", + "3.13.0-15.35", + "3.13.0-16.36", + "3.13.0-17.37", + "3.13.0-18.38", + "3.13.0-19.39", + "3.13.0-19.40", + "3.13.0-20.42", + "3.13.0-21.43", + "3.13.0-22.44", + "3.13.0-23.45", + "3.13.0-24.46", + "3.13.0-24.47", + "3.13.0-27.50", + "3.13.0-29.53", + "3.13.0-30.54", + "3.13.0-30.55", + "3.13.0-32.57", + "3.13.0-33.58", + "3.13.0-34.60", + "3.13.0-35.62", + "3.13.0-36.63", + "3.13.0-37.64", + "3.13.0-39.66", + "3.13.0-40.69", + "3.13.0-41.70", + "3.13.0-43.72", + "3.13.0-44.73", + "3.13.0-45.74", + "3.13.0-46.75", + "3.13.0-46.76", + "3.13.0-46.77", + "3.13.0-46.79", + "3.13.0-48.80", + "3.13.0-49.81", + "3.13.0-49.83", + "3.13.0-51.84", + "3.13.0-52.85", + "3.13.0-52.86", + "3.13.0-53.88", + "3.13.0-53.89", + "3.13.0-54.91", + "3.13.0-55.92", + "3.13.0-55.94", + "3.13.0-57.95", + "3.13.0-58.97", + "3.13.0-59.98", + "3.13.0-61.100", + "3.13.0-62.102", + "3.13.0-63.103", + "3.13.0-65.105", + "3.13.0-65.106", + "3.13.0-66.108", + "3.13.0-67.110", + "3.13.0-68.111", + "3.13.0-70.113", + "3.13.0-71.114", + "3.13.0-73.116", + "3.13.0-74.118", + "3.13.0-76.120", + "3.13.0-77.121", + "3.13.0-79.123", + "3.13.0-83.127", + "3.13.0-85.129", + "3.13.0-86.130", + "3.13.0-86.131", + "3.13.0-87.133", + "3.13.0-88.135", + "3.13.0-91.138", + "3.13.0-92.139", + "3.13.0-93.140", + "3.13.0-95.142", + "3.13.0-96.143", + "3.13.0-98.145", + "3.13.0-100.147", + "3.13.0-101.148", + "3.13.0-103.150", + "3.13.0-105.152", + "3.13.0-106.153", + "3.13.0-107.154", + "3.13.0-108.155", + "3.13.0-109.156", + "3.13.0-110.157", + "3.13.0-111.158", + "3.13.0-112.159", + "3.13.0-113.160", + "3.13.0-115.162", + "3.13.0-116.163", + "3.13.0-117.164", + "3.13.0-119.166", + "3.13.0-121.170", + "3.13.0-123.172", + "3.13.0-125.174", + "3.13.0-126.175", + "3.13.0-128.177", + "3.13.0-129.178", + "3.13.0-132.181", + "3.13.0-133.182", + "3.13.0-135.184", + "3.13.0-137.186", + "3.13.0-139.188", + "3.13.0-141.190", + "3.13.0-142.191", + "3.13.0-143.192", + "3.13.0-144.193", + "3.13.0-145.194", + "3.13.0-147.196", + "3.13.0-149.199", + "3.13.0-151.201", + "3.13.0-153.203", + "3.13.0-155.205", + "3.13.0-156.206", + "3.13.0-157.207", + "3.13.0-158.208", + "3.13.0-160.210", + "3.13.0-161.211", + "3.13.0-162.212", + "3.13.0-163.213", + "3.13.0-164.214", + "3.13.0-165.215", + "3.13.0-166.216", + "3.13.0-167.217", + "3.13.0-168.218", + "3.13.0-169.219", + "3.13.0-170.220", + "3.13.0-173.224", + "3.13.0-174.225", + "3.13.0-175.226", + "3.13.0-176.227", + "3.13.0-180.231", + "3.13.0-181.232", + "3.13.0-182.233", + "3.13.0-183.234", + "3.13.0-184.235", + "3.13.0-185.236", + "3.13.0-186.237", + "3.13.0-187.238", + "3.13.0-188.239", + "3.13.0-189.240", + "3.13.0-190.241", + "3.13.0-191.242", + "3.13.0-192.243", + "3.13.0-193.244", + "3.13.0-194.245", + "3.13.0-195.246", + "3.13.0-196.247", + "3.13.0-197.248", + "3.13.0-198.249", + "3.13.0-199.250", + "3.13.0-200.251", + "3.13.0-201.252", + "3.13.0-202.253", + "3.13.0-203.254", + "3.13.0-204.255", + "3.13.0-205.256", + "3.13.0-206.257" + ], + "ecosystem_specific": {} + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://ubuntu.com/security/CVE-2025-38094" + }, + { + "type": "REPORT", + "url": "https://www.cve.org/CVERecord?id=CVE-2025-38094" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/linus/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7" + }, + { + "type": "REPORT", + "url": "https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f" + } + ] +} diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_analysis_crash_handling.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_analysis_crash_handling.txt new file mode 100644 index 00000000000..6968470d21e --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_analysis_crash_handling.txt @@ -0,0 +1,170 @@ +{ 'affected': [], + 'affected_fuzzy': [ '6-9-4-0', + '6-9-4-1', + '6-9-4-10', + '6-9-4-2', + '6-9-4-3', + '6-9-4-4', + '6-9-4-5', + '6-9-4-6', + '6-9-4-7', + '6-9-4-8', + '6-9-4-9', + '6-9-5-0', + '6-9-5-1', + '6-9-5-2', + '6-9-5-3', + '6-9-5-4'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': { 'urgency': 'not yet ' + 'assigned'}, + 'package': { 'ecosystem': 'Debian:11', + 'name': 'imagemagick', + 'purl': 'pkg:deb/debian/imagemagick?arch=source'}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '8:6.9.6.2+dfsg-2'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': []}, + { 'database_specific': None, + 'ecosystem_specific': { 'urgency': 'not yet ' + 'assigned'}, + 'package': { 'ecosystem': 'Debian:12', + 'name': 'imagemagick', + 'purl': 'pkg:deb/debian/imagemagick?arch=source'}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '8:6.9.6.2+dfsg-2'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': []}, + { 'database_specific': None, + 'ecosystem_specific': { 'urgency': 'not yet ' + 'assigned'}, + 'package': { 'ecosystem': 'Debian:13', + 'name': 'imagemagick', + 'purl': 'pkg:deb/debian/imagemagick?arch=source'}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '8:6.9.6.2+dfsg-2'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': []}, + { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'function_hash': '105821297934886641033004172548266479551', + 'length': 34630.0}, + 'id': 'CVE-2016-10046-90cf14aa', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/imagemagick/imagemagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f', + 'target': { 'file': 'magick/draw.c', + 'function': 'DrawImage'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '111474618106123245942052817755198756272', + '301954155546171996711090723027809067481', + '279975694698735176382484669604413338546', + '183001078492337674961672731704068361015'], + 'threshold': 0.9}, + 'id': 'CVE-2016-10046-b43115ee', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/imagemagick/imagemagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f', + 'target': { 'file': 'magick/draw.c'}}]}, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '989f9f88ea6db09b99d25586e912c921c0da8d3f'}], + 'repo_url': 'https://github.com/imagemagick/imagemagick', + 'type': 'GIT'}, + { 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'last_affected', + 'value': '969a96ed7eea9603bea46492e9116c2ba28da60f'}], + 'repo_url': 'https://github.com/imagemagick/imagemagick6', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ '6.9.4-0', + '6.9.4-1', + '6.9.4-10', + '6.9.4-2', + '6.9.4-3', + '6.9.4-4', + '6.9.4-5', + '6.9.4-6', + '6.9.4-7', + '6.9.4-8', + '6.9.4-9', + '6.9.5-0', + '6.9.5-1', + '6.9.5-2', + '6.9.5-3', + '6.9.5-4']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'CVE-2016-10046', + 'details': 'Heap-based buffer overflow in the DrawImage function in ' + 'magick/draw.c in ImageMagick before 6.9.5-5 allows remote ' + 'attackers to cause a denial of service (application crash) via ' + 'a crafted image file.', + 'ecosystem': ['Debian', 'Debian:11', 'Debian:12', 'Debian:13', 'GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2024, 9, 18, 1, 0, 20, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(2021, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['imagemagick'], + 'public': True, + 'purl': [ 'pkg:deb/debian/imagemagick', + 'pkg:deb/debian/imagemagick?arch=source'], + 'reference_url_types': { 'http://www.openwall.com/lists/oss-security/2016/12/26/9': 'WEB', + 'http://www.securityfocus.com/bid/95183': 'WEB', + 'https://bugzilla.redhat.com/show_bug.cgi?id=1410448': 'REPORT', + 'https://github.com/ImageMagick/ImageMagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f': 'REPORT', + 'https://security-tracker.debian.org/tracker/CVE-2016-10046': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '10046', + '11', + '12', + '13', + '2016', + '2016-10046', + 'cve', + 'cve-2016', + 'cve-2016-10046', + 'debian', + 'debian:11', + 'debian:12', + 'debian:13', + 'git', + 'github.com/imagemagick/imagemagick', + 'github.com/imagemagick/imagemagick6', + 'https://github.com/imagemagick/imagemagick', + 'https://github.com/imagemagick/imagemagick6', + 'imagemagick', + 'imagemagick6'], + 'search_tags': ['cve-2016-10046', 'imagemagick'], + 'semver_fixed_indexes': [], + 'severities': [ { 'score': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H', + 'type': 'CVSS_V3'}], + 'source': 'source', + 'source_id': 'source:CVE-2016-10046.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2017, 3, 23, 17, 59, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_alpine.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_alpine.txt new file mode 100644 index 00000000000..cb4c04fa467 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_alpine.txt @@ -0,0 +1,616 @@ +('diff --git a/CVE-2022-27449.json b/CVE-2022-27449.json\n' + 'index 3fc80cd..e6cf371 100644\n' + '--- a/CVE-2022-27449.json\n' + '+++ b/CVE-2022-27449.json\n' + '@@ -1,16 +1,13 @@\n' + ' {\n' + '- "id": "CVE-2022-27449",\n' + '- "details": "MariaDB Server v10.9 and below was discovered to contain a ' + 'segmentation fault via the component sql/item_func.cc:148.",\n' + ' "affected": [\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.12",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -18,19 +15,110 @@\n' + ' {\n' + ' "fixed": "10.4.25-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.15-r0",\n' + '+ "10.4.17-r0",\n' + '+ "10.4.17-r1",\n' + '+ "10.4.18-r0",\n' + '+ "10.4.19-r0",\n' + '+ "10.4.21-r0",\n' + '+ "10.4.22-r0",\n' + '+ "10.4.24-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' },\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.13",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -38,19 +126,113 @@\n' + ' {\n' + ' "fixed": "10.5.16-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.13-r1",\n' + '+ "10.4.14-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "10.5.10-r0",\n' + '+ "10.5.11-r0",\n' + '+ "10.5.12-r0",\n' + '+ "10.5.13-r0",\n' + '+ "10.5.15-r0",\n' + '+ "10.5.5-r0",\n' + '+ "10.5.6-r0",\n' + '+ "10.5.8-r0",\n' + '+ "10.5.9-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' },\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.14",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -58,19 +240,112 @@\n' + ' {\n' + ' "fixed": "10.5.16-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.13-r1",\n' + '+ "10.4.14-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "10.5.11-r0",\n' + '+ "10.5.12-r0",\n' + '+ "10.5.13-r0",\n' + '+ "10.5.15-r0",\n' + '+ "10.5.5-r0",\n' + '+ "10.5.6-r0",\n' + '+ "10.5.8-r0",\n' + '+ "10.5.9-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' },\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.15",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -78,19 +353,115 @@\n' + ' {\n' + ' "fixed": "10.6.8-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.13-r1",\n' + '+ "10.4.14-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "10.5.11-r0",\n' + '+ "10.5.11-r1",\n' + '+ "10.5.5-r0",\n' + '+ "10.5.6-r0",\n' + '+ "10.5.8-r0",\n' + '+ "10.5.9-r0",\n' + '+ "10.6.3-r0",\n' + '+ "10.6.4-r0",\n' + '+ "10.6.4-r1",\n' + '+ "10.6.4-r2",\n' + '+ "10.6.7-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' },\n' + ' {\n' + ' "package": {\n' + '- "name": "mariadb",\n' + ' "ecosystem": "Alpine:v3.16",\n' + '+ "name": "mariadb",\n' + ' "purl": "pkg:alpine/mariadb"\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -98,11 +469,112 @@\n' + ' {\n' + ' "fixed": "10.6.8-r0"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "10.0.21-r0",\n' + '+ "10.0.21-r1",\n' + '+ "10.0.21-r2",\n' + '+ "10.1.11-r0",\n' + '+ "10.1.11-r1",\n' + '+ "10.1.12-r0",\n' + '+ "10.1.12-r1",\n' + '+ "10.1.13-r0",\n' + '+ "10.1.13-r1",\n' + '+ "10.1.14-r0",\n' + '+ "10.1.14-r1",\n' + '+ "10.1.14-r2",\n' + '+ "10.1.14-r3",\n' + '+ "10.1.16-r0",\n' + '+ "10.1.17-r0",\n' + '+ "10.1.17-r1",\n' + '+ "10.1.18-r0",\n' + '+ "10.1.18-r1",\n' + '+ "10.1.19-r0",\n' + '+ "10.1.20-r0",\n' + '+ "10.1.21-r0",\n' + '+ "10.1.22-r0",\n' + '+ "10.1.22-r1",\n' + '+ "10.1.22-r2",\n' + '+ "10.1.24-r0",\n' + '+ "10.1.26-r0",\n' + '+ "10.1.28-r0",\n' + '+ "10.1.28-r1",\n' + '+ "10.1.28-r2",\n' + '+ "10.1.31-r0",\n' + '+ "10.1.8-r0",\n' + '+ "10.1.8-r1",\n' + '+ "10.1.9-r0",\n' + '+ "10.1.9-r1",\n' + '+ "10.1.9-r2",\n' + '+ "10.1.9-r3",\n' + '+ "10.2.13-r0",\n' + '+ "10.2.13-r1",\n' + '+ "10.2.14-r0",\n' + '+ "10.2.14-r1",\n' + '+ "10.2.14-r2",\n' + '+ "10.2.15-r0",\n' + '+ "10.3.10-r0",\n' + '+ "10.3.10-r1",\n' + '+ "10.3.11-r0",\n' + '+ "10.3.12-r0",\n' + '+ "10.3.12-r1",\n' + '+ "10.3.12-r2",\n' + '+ "10.3.13-r0",\n' + '+ "10.3.13-r1",\n' + '+ "10.3.13-r2",\n' + '+ "10.3.13-r3",\n' + '+ "10.3.13-r4",\n' + '+ "10.3.15-r0",\n' + '+ "10.3.16-r0",\n' + '+ "10.3.9-r0",\n' + '+ "10.3.9-r1",\n' + '+ "10.3.9-r2",\n' + '+ "10.4.10-r0",\n' + '+ "10.4.10-r1",\n' + '+ "10.4.11-r0",\n' + '+ "10.4.12-r0",\n' + '+ "10.4.13-r0",\n' + '+ "10.4.13-r1",\n' + '+ "10.4.14-r0",\n' + '+ "10.4.6-r0",\n' + '+ "10.4.6-r1",\n' + '+ "10.4.7-r0",\n' + '+ "10.4.8-r0",\n' + '+ "10.5.11-r0",\n' + '+ "10.5.11-r1",\n' + '+ "10.5.5-r0",\n' + '+ "10.5.6-r0",\n' + '+ "10.5.8-r0",\n' + '+ "10.5.9-r0",\n' + '+ "10.6.3-r0",\n' + '+ "10.6.4-r0",\n' + '+ "10.6.4-r1",\n' + '+ "10.6.4-r2",\n' + '+ "10.6.7-r0",\n' + '+ "5.5.41-r0",\n' + '+ "5.5.41-r1",\n' + '+ "5.5.41-r2",\n' + '+ "5.5.42-r0",\n' + '+ "5.5.42-r1",\n' + '+ "5.5.42-r2",\n' + '+ "5.5.42-r3",\n' + '+ "5.5.42-r4",\n' + '+ "5.5.43-r0",\n' + '+ "5.5.43-r1",\n' + '+ "5.5.43-r2",\n' + '+ "5.5.43-r3",\n' + '+ "5.5.43-r4",\n' + '+ "5.5.43-r5"\n' + ' ]\n' + ' }\n' + ' ],\n' + '+ "details": "MariaDB Server v10.9 and below was discovered to contain a ' + 'segmentation fault via the component sql/item_func.cc:148.",\n' + '+ "id": "CVE-2022-27449",\n' + '+ "modified": "3000-01-01T00:00:00Z",\n' + '+ "published": "2022-04-14T13:15:00Z",\n' + ' "references": [\n' + ' {\n' + ' "type": "EVIDENCE",\n' + '@@ -132,7 +604,5 @@\n' + ' "type": "WEB",\n' + ' "url": ' + '"https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"\n' + ' }\n' + '- ],\n' + '- "modified": "2022-10-07T18:59:00Z",\n' + '- "published": "2022-04-14T13:15:00Z"\n' + '-}\n' + '+ ]\n' + '+}\n' + '\\ No newline at end of file\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_debian.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_debian.txt new file mode 100644 index 00000000000..0433f0bc3ff --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_debian.txt @@ -0,0 +1,64 @@ +('diff --git a/DSA-3029-1.json b/DSA-3029-1.json\n' + 'index 1b73210..c114001 100644\n' + '--- a/DSA-3029-1.json\n' + '+++ b/DSA-3029-1.json\n' + '@@ -1,6 +1,4 @@\n' + ' {\n' + '- "id": "DSA-3029-1",\n' + '- "summary": "nginx - security update",\n' + ' "affected": [\n' + ' {\n' + ' "package": {\n' + '@@ -9,7 +7,6 @@\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -17,21 +14,30 @@\n' + ' {\n' + ' "fixed": "1.2.1-2.2+wheezy3"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "1.2.1-2.2",\n' + '+ "1.2.1-2.2+wheezy1",\n' + '+ "1.2.1-2.2+wheezy2",\n' + '+ "1.2.1-2.2+wheezy3~bpo60+1"\n' + ' ]\n' + ' }\n' + ' ],\n' + ' "aliases": [\n' + ' "CVE-2014-3616"\n' + ' ],\n' + '- "published": "2014-09-20T00:00:00Z",\n' + '- "modified": "2014-09-20T08:18:07Z",\n' + ' "details": "\\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan ' + 'discovered that it was\\npossible to reuse cached SSL sessions in unrelated ' + 'contexts, allowing\\nvirtual host confusion attacks in some configurations ' + 'by an attacker in\\na privileged network position.\\n\\n\\nFor the stable ' + 'distribution (wheezy), this problem has been fixed in\\nversion ' + '1.2.1-2.2+wheezy3.\\n\\n\\nFor the testing distribution (jessie), this ' + 'problem has been fixed in\\nversion 1.6.2-1.\\n\\n\\nFor the unstable ' + 'distribution (sid), this problem has been fixed in\\nversion ' + '1.6.2-1.\\n\\n\\nWe recommend that you upgrade your nginx ' + 'packages.\\n\\n\\n",\n' + '+ "id": "DSA-3029-1",\n' + '+ "modified": "3000-01-01T00:00:00Z",\n' + '+ "published": "2014-09-20T00:00:00Z",\n' + ' "references": [\n' + ' {\n' + ' "type": "ADVISORY",\n' + ' "url": "https://www.debian.org/security/2014/dsa-3029"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "summary": "nginx - security update"\n' + ' }\n' + '\\ No newline at end of file\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected.txt new file mode 100644 index 00000000000..1cc3591ae79 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected.txt @@ -0,0 +1,78 @@ +('diff --git a/PYSEC-124.yaml b/PYSEC-124.yaml\n' + 'index 5fc3c83..bc7539c 100644\n' + '--- a/PYSEC-124.yaml\n' + '+++ b/PYSEC-124.yaml\n' + '@@ -1,18 +1,61 @@\n' + '-id: PYSEC-124\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-modified: 2022-10-07T18:59:00Z\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: grpcio\n' + ' ecosystem: PyPI\n' + '+ name: grpcio\n' + ' ranges:\n' + '- - type: ECOSYSTEM\n' + '- events:\n' + '+ - events:\n' + ' - introduced: 1.14.2\n' + ' - last_affected: 1.31.0\n' + '+ type: ECOSYSTEM\n' + '+ versions:\n' + '+ - 1.14.2\n' + '+ - 1.15.0\n' + '+ - 1.15.0rc1\n' + '+ - 1.16.0\n' + '+ - 1.16.0rc1\n' + '+ - 1.16.1\n' + '+ - 1.17.0\n' + '+ - 1.17.1\n' + '+ - 1.18.0\n' + '+ - 1.19.0\n' + '+ - 1.20.0\n' + '+ - 1.20.0rc1\n' + '+ - 1.20.0rc2\n' + '+ - 1.20.0rc3\n' + '+ - 1.20.1\n' + '+ - 1.21.0rc1\n' + '+ - 1.21.1\n' + '+ - 1.21.1rc1\n' + '+ - 1.22.0\n' + '+ - 1.22.0rc1\n' + '+ - 1.22.1\n' + '+ - 1.23.0\n' + '+ - 1.23.0rc1\n' + '+ - 1.23.1\n' + '+ - 1.24.0\n' + '+ - 1.24.0rc1\n' + '+ - 1.24.1\n' + '+ - 1.24.3\n' + '+ - 1.25.0\n' + '+ - 1.25.0rc1\n' + '+ - 1.26.0\n' + '+ - 1.26.0rc1\n' + '+ - 1.27.0rc1\n' + '+ - 1.27.0rc2\n' + '+ - 1.27.1\n' + '+ - 1.27.2\n' + '+ - 1.28.0rc1\n' + '+ - 1.28.0rc2\n' + '+ - 1.28.1\n' + '+ - 1.29.0\n' + '+ - 1.30.0\n' + '+ - 1.31.0\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: PYSEC-124\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected_git.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected_git.txt new file mode 100644 index 00000000000..990ff79da6e --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_last_affected_git.txt @@ -0,0 +1,35 @@ +('diff --git a/OSV-TEST-last-affected-01.yaml ' + 'b/OSV-TEST-last-affected-01.yaml\n' + 'index 86e69d4..db61731 100644\n' + '--- a/OSV-TEST-last-affected-01.yaml\n' + '+++ b/OSV-TEST-last-affected-01.yaml\n' + '@@ -1,16 +1,19 @@\n' + '-id: OSV-TEST-last-affected-01\n' + '-summary: A vulnerability\n' + '+affected:\n' + '+- ranges:\n' + '+ - events:\n' + '+ - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + '+ - last_affected: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + '+ versions:\n' + '+ - v0.1.1\n' + '+ - v0.2\n' + ' details: |\n' + ' Blah blah blah\n' + ' Blah\n' + '-modified: 2022-10-07T18:59:00Z\n' + '+id: OSV-TEST-last-affected-01\n' + "+modified: '3000-01-01T00:00:00Z'\n" + ' references:\n' + ' - type: WEB\n' + ' url: https://ref.com/ref\n' + '-affected:\n' + '-- ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '- - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + '- - last_affected: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_maven.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_maven.txt new file mode 100644 index 00000000000..600a0536a0d --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_maven.txt @@ -0,0 +1,110 @@ +('diff --git a/GHSA-838r-hvwh-24h8.json b/GHSA-838r-hvwh-24h8.json\n' + 'index 13e8570..55b233a 100644\n' + '--- a/GHSA-838r-hvwh-24h8.json\n' + '+++ b/GHSA-838r-hvwh-24h8.json\n' + '@@ -1,19 +1,4 @@\n' + ' {\n' + '- "schema_version": "1.4.0",\n' + '- "id": "GHSA-838r-hvwh-24h8",\n' + '- "modified": "2021-09-24T13:10:05Z",\n' + '- "published": "2021-09-13T20:06:31Z",\n' + '- "aliases": [\n' + '- "CVE-2021-38555"\n' + '- ],\n' + '- "summary": "XML Injection in Any23",\n' + '- "details": "An XML external entity (XXE) injection vulnerability was ' + 'discovered in the Any23 StreamUtils.java file and is known to affect Any23 ' + 'versions < 2.5. XML external entity injection (also known as XXE) is a web ' + 'security vulnerability that allows an attacker to interfere with an ' + "application's processing of XML data. It often allows an attacker to view " + 'files on the application server filesystem, and to interact with any ' + 'back-end or external systems that the application itself can access.",\n' + '- "severity": [\n' + '- {\n' + '- "type": "CVSS_V3",\n' + '- "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"\n' + '- }\n' + '- ],\n' + ' "affected": [\n' + ' {\n' + ' "package": {\n' + '@@ -22,7 +7,6 @@\n' + ' },\n' + ' "ranges": [\n' + ' {\n' + '- "type": "ECOSYSTEM",\n' + ' "events": [\n' + ' {\n' + ' "introduced": "0"\n' + '@@ -30,11 +14,40 @@\n' + ' {\n' + ' "fixed": "2.5"\n' + ' }\n' + '- ]\n' + '+ ],\n' + '+ "type": "ECOSYSTEM"\n' + ' }\n' + '+ ],\n' + '+ "versions": [\n' + '+ "0.7.0-incubating",\n' + '+ "0.8.0",\n' + '+ "0.9.0",\n' + '+ "1.0",\n' + '+ "1.1",\n' + '+ "2.0",\n' + '+ "2.1",\n' + '+ "2.2",\n' + '+ "2.3",\n' + '+ "2.4"\n' + ' ]\n' + ' }\n' + ' ],\n' + '+ "aliases": [\n' + '+ "CVE-2021-38555"\n' + '+ ],\n' + '+ "database_specific": {\n' + '+ "cwe_ids": [\n' + '+ "CWE-611"\n' + '+ ],\n' + '+ "github_reviewed": true,\n' + '+ "github_reviewed_at": "2021-09-13T19:31:01Z",\n' + '+ "nvd_published_at": "2021-09-11T11:15:00Z",\n' + '+ "severity": "CRITICAL"\n' + '+ },\n' + '+ "details": "An XML external entity (XXE) injection vulnerability was ' + 'discovered in the Any23 StreamUtils.java file and is known to affect Any23 ' + 'versions < 2.5. XML external entity injection (also known as XXE) is a web ' + 'security vulnerability that allows an attacker to interfere with an ' + "application's processing of XML data. It often allows an attacker to view " + 'files on the application server filesystem, and to interact with any ' + 'back-end or external systems that the application itself can access.",\n' + '+ "id": "GHSA-838r-hvwh-24h8",\n' + '+ "modified": "3000-01-01T00:00:00Z",\n' + '+ "published": "2021-09-13T20:06:31Z",\n' + ' "references": [\n' + ' {\n' + ' "type": "ADVISORY",\n' + '@@ -49,13 +62,12 @@\n' + ' "url": ' + '"https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E"\n' + ' }\n' + ' ],\n' + '- "database_specific": {\n' + '- "cwe_ids": [\n' + '- "CWE-611"\n' + '- ],\n' + '- "severity": "CRITICAL",\n' + '- "github_reviewed": true,\n' + '- "github_reviewed_at": "2021-09-13T19:31:01Z",\n' + '- "nvd_published_at": "2021-09-11T11:15:00Z"\n' + '- }\n' + '+ "schema_version": "1.4.0",\n' + '+ "severity": [\n' + '+ {\n' + '+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",\n' + '+ "type": "CVSS_V3"\n' + '+ }\n' + '+ ],\n' + '+ "summary": "XML Injection in Any23"\n' + ' }\n' + '\\ No newline at end of file\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_normalized_pypi.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_normalized_pypi.txt new file mode 100644 index 00000000000..9c7aacfe8a2 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_normalized_pypi.txt @@ -0,0 +1,29 @@ +('diff --git a/PYSEC-456.yaml b/PYSEC-456.yaml\n' + 'new file mode 100644\n' + 'index 0000000..008c694\n' + '--- /dev/null\n' + '+++ b/PYSEC-456.yaml\n' + '@@ -0,0 +1,23 @@\n' + '+id: PYSEC-456\n' + '+summary: A vulnerability in an unnormalized package\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+modified: 2022-10-07T18:59:00Z\n' + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+affected:\n' + '+- package:\n' + '+ name: Scrapy\n' + '+ ecosystem: PyPI\n' + '+ ranges:\n' + '+ - type: ECOSYSTEM\n' + '+ events:\n' + '+ - introduced: 1.14.2\n' + '+ - fixed: 1.31.0\n' + '+ - type: GIT\n' + '+ repo: https://osv-test/repo/url\n' + '+ events:\n' + '+ - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + '+ - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_pypi.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_pypi.txt new file mode 100644 index 00000000000..9bdb664f6e3 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_pypi.txt @@ -0,0 +1,85 @@ +('diff --git a/PYSEC-123.yaml b/PYSEC-123.yaml\n' + 'index 40653cf..8e2c331 100644\n' + '--- a/PYSEC-123.yaml\n' + '+++ b/PYSEC-123.yaml\n' + '@@ -1,23 +1,65 @@\n' + '-id: PYSEC-123\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-modified: 2022-10-07T18:59:00Z\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: grpcio\n' + ' ecosystem: PyPI\n' + '+ name: grpcio\n' + ' ranges:\n' + '- - type: ECOSYSTEM\n' + '- events:\n' + '+ - events:\n' + ' - introduced: 1.14.2\n' + ' - fixed: 1.31.0\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ type: ECOSYSTEM\n' + '+ - events:\n' + ' - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + ' - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + '+ versions:\n' + '+ - 1.14.2\n' + '+ - 1.15.0\n' + '+ - 1.15.0rc1\n' + '+ - 1.16.0\n' + '+ - 1.16.0rc1\n' + '+ - 1.16.1\n' + '+ - 1.17.0\n' + '+ - 1.17.1\n' + '+ - 1.18.0\n' + '+ - 1.19.0\n' + '+ - 1.20.0\n' + '+ - 1.20.0rc1\n' + '+ - 1.20.0rc2\n' + '+ - 1.20.0rc3\n' + '+ - 1.20.1\n' + '+ - 1.21.0rc1\n' + '+ - 1.21.1\n' + '+ - 1.21.1rc1\n' + '+ - 1.22.0\n' + '+ - 1.22.0rc1\n' + '+ - 1.22.1\n' + '+ - 1.23.0\n' + '+ - 1.23.0rc1\n' + '+ - 1.23.1\n' + '+ - 1.24.0\n' + '+ - 1.24.0rc1\n' + '+ - 1.24.1\n' + '+ - 1.24.3\n' + '+ - 1.25.0\n' + '+ - 1.25.0rc1\n' + '+ - 1.26.0\n' + '+ - 1.26.0rc1\n' + '+ - 1.27.0rc1\n' + '+ - 1.27.0rc2\n' + '+ - 1.27.1\n' + '+ - 1.27.2\n' + '+ - 1.28.0rc1\n' + '+ - 1.28.0rc2\n' + '+ - 1.28.1\n' + '+ - 1.29.0\n' + '+ - 1.30.0\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: PYSEC-123\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update.txt new file mode 100644 index 00000000000..6c3164251ff --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update.txt @@ -0,0 +1,61 @@ +('diff --git a/OSV-123.yaml b/OSV-123.yaml\n' + 'index 0d93ff8..e765523 100644\n' + '--- a/OSV-123.yaml\n' + '+++ b/OSV-123.yaml\n' + '@@ -1,30 +1,34 @@\n' + '-id: OSV-123\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-severity:\n' + '-- type: CVSS_V3\n' + '- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\n' + '-credits:\n' + '-- name: Foo bar\n' + '- contact:\n' + '- - mailto:foo@bar.com\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: blah.com/package\n' + ' ecosystem: Go\n' + '+ name: blah.com/package\n' + ' ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ - events:\n' + ' - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + ' - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+ - introduced: febfac1940086bc1f6d3dc33fda0a1d1ba336209\n' + '+ - fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + ' versions:\n' + ' - branch-v0.1.1\n' + '+ - branch_1_cherrypick_regress\n' + '+ - v0.1.1\n' + '+credits:\n' + '+- contact:\n' + '+ - mailto:foo@bar.com\n' + '+ name: Foo bar\n' + ' database_specific:\n' + '- specific: 1337\n' + "-modified: '2020-01-01T00:00:00Z'\n" + '\\ No newline at end of file\n' + '+ specific: 1337.0\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: OSV-123\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+severity:\n' + '+- score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\n' + '+ type: CVSS_V3\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_add_fix.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_add_fix.txt new file mode 100644 index 00000000000..64d431543b5 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_add_fix.txt @@ -0,0 +1,43 @@ +('diff --git a/OSV-124.yaml b/OSV-124.yaml\n' + 'index 4d2eede..8b6df18 100644\n' + '--- a/OSV-124.yaml\n' + '+++ b/OSV-124.yaml\n' + '@@ -1,20 +1,25 @@\n' + '-id: OSV-124\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: blah.com/package\n' + ' ecosystem: Go\n' + '+ name: blah.com/package\n' + ' ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ - events:\n' + ' - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd\n' + '+ - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '+ - introduced: febfac1940086bc1f6d3dc33fda0a1d1ba336209\n' + '+ - fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + ' versions:\n' + ' - branch-v0.1.1\n' + "-modified: '2020-01-01T00:00:00Z'\n" + '+ - branch_1_cherrypick_regress\n' + '+ - v0.1.1\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: OSV-124\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_limit.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_limit.txt new file mode 100644 index 00000000000..8765ed63433 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_limit.txt @@ -0,0 +1,55 @@ +('diff --git a/OSV-128.yaml b/OSV-128.yaml\n' + 'index 9b928c1..e4b6aad 100644\n' + '--- a/OSV-128.yaml\n' + '+++ b/OSV-128.yaml\n' + '@@ -1,25 +1,33 @@\n' + '-id: OSV-128\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: grpcio\n' + ' ecosystem: PyPI\n' + '- versions:\n' + '- - branch-v0.1.1\n' + '+ name: grpcio\n' + ' ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ - events:\n' + " - introduced: '0'\n" + ' - limit: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + '- - type: ECOSYSTEM\n' + '- events:\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + '+ - events:\n' + ' - introduced: 1.13.0\n' + ' - limit: 1.14.2\n' + "-modified: '2020-01-01T00:00:00Z'\n" + '+ type: ECOSYSTEM\n' + '+ versions:\n' + '+ - branch-v0.1.1\n' + '+ - 1.13.0\n' + '+ - 1.14.0\n' + '+ - 1.14.0rc1\n' + '+ - 1.14.0rc2\n' + '+ - 1.14.1\n' + '+ - 1.14.2rc1\n' + '+ - v0.1\n' + '+ - v0.1.1\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: OSV-128\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_no_introduced.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_no_introduced.txt new file mode 100644 index 00000000000..4c56c356353 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_diff_update_no_introduced.txt @@ -0,0 +1,45 @@ +('diff --git a/OSV-127.yaml b/OSV-127.yaml\n' + 'index a1a76f1..163c78a 100644\n' + '--- a/OSV-127.yaml\n' + '+++ b/OSV-127.yaml\n' + '@@ -1,21 +1,25 @@\n' + '-id: OSV-127\n' + '-summary: A vulnerability\n' + '-details: |\n' + '- Blah blah blah\n' + '- Blah\n' + '-references:\n' + '-- type: WEB\n' + '- url: https://ref.com/ref\n' + ' affected:\n' + ' - package:\n' + '- name: blah.com/package\n' + ' ecosystem: Go\n' + '- versions:\n' + '- - branch-v0.1.1\n' + '+ name: blah.com/package\n' + ' ranges:\n' + '- - type: GIT\n' + '- repo: https://osv-test/repo/url\n' + '- events:\n' + '+ - events:\n' + " - introduced: '0'\n" + ' - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735\n' + "-modified: '2020-01-01T00:00:00Z'\n" + '+ - fixed: b9b3fd4732695b83c3068b7b6a14bb372ec31f98\n' + '+ repo: https://osv-test/repo/url\n' + '+ type: GIT\n' + '+ versions:\n' + '+ - branch-v0.1.1\n' + '+ - branch_1_cherrypick_regress\n' + '+ - v0.1\n' + '+ - v0.1.1\n' + '+details: |\n' + '+ Blah blah blah\n' + '+ Blah\n' + '+id: OSV-127\n' + "+modified: '3000-01-01T00:00:00Z'\n" + '+references:\n' + '+- type: WEB\n' + '+ url: https://ref.com/ref\n' + '+summary: A vulnerability\n') \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_dont_index_too_many_git_versions.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_dont_index_too_many_git_versions.txt new file mode 100644 index 00000000000..a277e3adbe1 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_dont_index_too_many_git_versions.txt @@ -0,0 +1,5067 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'last_affected', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ '00000', + '00001', + '00002', + '00003', + '00004', + '00005', + '00006', + '00007', + '00008', + '00009', + '00010', + '00011', + '00012', + '00013', + '00014', + '00015', + '00016', + '00017', + '00018', + '00019', + '00020', + '00021', + '00022', + '00023', + '00024', + '00025', + '00026', + '00027', + '00028', + '00029', + '00030', + '00031', + '00032', + '00033', + '00034', + '00035', + '00036', + '00037', + '00038', + '00039', + '00040', + '00041', + '00042', + '00043', + '00044', + '00045', + '00046', + '00047', + '00048', + '00049', + '00050', + '00051', + '00052', + '00053', + '00054', + '00055', + '00056', + '00057', + '00058', + '00059', + '00060', + '00061', + '00062', + '00063', + '00064', + '00065', + '00066', + '00067', + '00068', + '00069', + '00070', + '00071', + '00072', + '00073', + '00074', + '00075', + '00076', + '00077', + '00078', + '00079', + '00080', + '00081', + '00082', + '00083', + '00084', + '00085', + '00086', + '00087', + '00088', + '00089', + '00090', + '00091', + '00092', + '00093', + '00094', + '00095', + '00096', + '00097', + '00098', + '00099', + '00100', + '00101', + '00102', + '00103', + '00104', + '00105', + '00106', + '00107', + '00108', + '00109', + '00110', + '00111', + '00112', + '00113', + '00114', + '00115', + '00116', + '00117', + '00118', + '00119', + '00120', + '00121', + '00122', + '00123', + '00124', + '00125', + '00126', + '00127', + '00128', + '00129', + '00130', + '00131', + '00132', + '00133', + '00134', + '00135', + '00136', + '00137', + '00138', + '00139', + '00140', + '00141', + '00142', + '00143', + '00144', + '00145', + '00146', + '00147', + '00148', + '00149', + '00150', + '00151', + '00152', + '00153', + '00154', + '00155', + '00156', + '00157', + '00158', + '00159', + '00160', + '00161', + '00162', + '00163', + '00164', + '00165', + '00166', + '00167', + '00168', + '00169', + '00170', + '00171', + '00172', + '00173', + '00174', + '00175', + '00176', + '00177', + '00178', + '00179', + '00180', + '00181', + '00182', + '00183', + '00184', + '00185', + '00186', + '00187', + '00188', + '00189', + '00190', + '00191', + '00192', + '00193', + '00194', + '00195', + '00196', + '00197', + '00198', + '00199', + '00200', + '00201', + '00202', + '00203', + '00204', + '00205', + '00206', + '00207', + '00208', + '00209', + '00210', + '00211', + '00212', + '00213', + '00214', + '00215', + '00216', + '00217', + '00218', + '00219', + '00220', + '00221', + '00222', + '00223', + '00224', + '00225', + '00226', + '00227', + '00228', + '00229', + '00230', + '00231', + '00232', + '00233', + '00234', + '00235', + '00236', + '00237', + '00238', + '00239', + '00240', + '00241', + '00242', + '00243', + '00244', + '00245', + '00246', + '00247', + '00248', + '00249', + '00250', + '00251', + '00252', + '00253', + '00254', + '00255', + '00256', + '00257', + '00258', + '00259', + '00260', + '00261', + '00262', + '00263', + '00264', + '00265', + '00266', + '00267', + '00268', + '00269', + '00270', + '00271', + '00272', + '00273', + '00274', + '00275', + '00276', + '00277', + '00278', + '00279', + '00280', + '00281', + '00282', + '00283', + '00284', + '00285', + '00286', + '00287', + '00288', + '00289', + '00290', + '00291', + '00292', + '00293', + '00294', + '00295', + '00296', + '00297', + '00298', + '00299', + '00300', + '00301', + '00302', + '00303', + '00304', + '00305', + '00306', + '00307', + '00308', + '00309', + '00310', + '00311', + '00312', + '00313', + '00314', + '00315', + '00316', + '00317', + '00318', + '00319', + '00320', + '00321', + '00322', + '00323', + '00324', + '00325', + '00326', + '00327', + '00328', + '00329', + '00330', + '00331', + '00332', + '00333', + '00334', + '00335', + '00336', + '00337', + '00338', + '00339', + '00340', + '00341', + '00342', + '00343', + '00344', + '00345', + '00346', + '00347', + '00348', + '00349', + '00350', + '00351', + '00352', + '00353', + '00354', + '00355', + '00356', + '00357', + '00358', + '00359', + '00360', + '00361', + '00362', + '00363', + '00364', + '00365', + '00366', + '00367', + '00368', + '00369', + '00370', + '00371', + '00372', + '00373', + '00374', + '00375', + '00376', + '00377', + '00378', + '00379', + '00380', + '00381', + '00382', + '00383', + '00384', + '00385', + '00386', + '00387', + '00388', + '00389', + '00390', + '00391', + '00392', + '00393', + '00394', + '00395', + '00396', + '00397', + '00398', + '00399', + '00400', + '00401', + '00402', + '00403', + '00404', + '00405', + '00406', + '00407', + '00408', + '00409', + '00410', + '00411', + '00412', + '00413', + '00414', + '00415', + '00416', + '00417', + '00418', + '00419', + '00420', + '00421', + '00422', + '00423', + '00424', + '00425', + '00426', + '00427', + '00428', + '00429', + '00430', + '00431', + '00432', + '00433', + '00434', + '00435', + '00436', + '00437', + '00438', + '00439', + '00440', + '00441', + '00442', + '00443', + '00444', + '00445', + '00446', + '00447', + '00448', + '00449', + '00450', + '00451', + '00452', + '00453', + '00454', + '00455', + '00456', + '00457', + '00458', + '00459', + '00460', + '00461', + '00462', + '00463', + '00464', + '00465', + '00466', + '00467', + '00468', + '00469', + '00470', + '00471', + '00472', + '00473', + '00474', + '00475', + '00476', + '00477', + '00478', + '00479', + '00480', + '00481', + '00482', + '00483', + '00484', + '00485', + '00486', + '00487', + '00488', + '00489', + '00490', + '00491', + '00492', + '00493', + '00494', + '00495', + '00496', + '00497', + '00498', + '00499', + '00500', + '00501', + '00502', + '00503', + '00504', + '00505', + '00506', + '00507', + '00508', + '00509', + '00510', + '00511', + '00512', + '00513', + '00514', + '00515', + '00516', + '00517', + '00518', + '00519', + '00520', + '00521', + '00522', + '00523', + '00524', + '00525', + '00526', + '00527', + '00528', + '00529', + '00530', + '00531', + '00532', + '00533', + '00534', + '00535', + '00536', + '00537', + '00538', + '00539', + '00540', + '00541', + '00542', + '00543', + '00544', + '00545', + '00546', + '00547', + '00548', + '00549', + '00550', + '00551', + '00552', + '00553', + '00554', + '00555', + '00556', + '00557', + '00558', + '00559', + '00560', + '00561', + '00562', + '00563', + '00564', + '00565', + '00566', + '00567', + '00568', + '00569', + '00570', + '00571', + '00572', + '00573', + '00574', + '00575', + '00576', + '00577', + '00578', + '00579', + '00580', + '00581', + '00582', + '00583', + '00584', + '00585', + '00586', + '00587', + '00588', + '00589', + '00590', + '00591', + '00592', + '00593', + '00594', + '00595', + '00596', + '00597', + '00598', + '00599', + '00600', + '00601', + '00602', + '00603', + '00604', + '00605', + '00606', + '00607', + '00608', + '00609', + '00610', + '00611', + '00612', + '00613', + '00614', + '00615', + '00616', + '00617', + '00618', + '00619', + '00620', + '00621', + '00622', + '00623', + '00624', + '00625', + '00626', + '00627', + '00628', + '00629', + '00630', + '00631', + '00632', + '00633', + '00634', + '00635', + '00636', + '00637', + '00638', + '00639', + '00640', + '00641', + '00642', + '00643', + '00644', + '00645', + '00646', + '00647', + '00648', + '00649', + '00650', + '00651', + '00652', + '00653', + '00654', + '00655', + '00656', + '00657', + '00658', + '00659', + '00660', + '00661', + '00662', + '00663', + '00664', + '00665', + '00666', + '00667', + '00668', + '00669', + '00670', + '00671', + '00672', + '00673', + '00674', + '00675', + '00676', + '00677', + '00678', + '00679', + '00680', + '00681', + '00682', + '00683', + '00684', + '00685', + '00686', + '00687', + '00688', + '00689', + '00690', + '00691', + '00692', + '00693', + '00694', + '00695', + '00696', + '00697', + '00698', + '00699', + '00700', + '00701', + '00702', + '00703', + '00704', + '00705', + '00706', + '00707', + '00708', + '00709', + '00710', + '00711', + '00712', + '00713', + '00714', + '00715', + '00716', + '00717', + '00718', + '00719', + '00720', + '00721', + '00722', + '00723', + '00724', + '00725', + '00726', + '00727', + '00728', + '00729', + '00730', + '00731', + '00732', + '00733', + '00734', + '00735', + '00736', + '00737', + '00738', + '00739', + '00740', + '00741', + '00742', + '00743', + '00744', + '00745', + '00746', + '00747', + '00748', + '00749', + '00750', + '00751', + '00752', + '00753', + '00754', + '00755', + '00756', + '00757', + '00758', + '00759', + '00760', + '00761', + '00762', + '00763', + '00764', + '00765', + '00766', + '00767', + '00768', + '00769', + '00770', + '00771', + '00772', + '00773', + '00774', + '00775', + '00776', + '00777', + '00778', + '00779', + '00780', + '00781', + '00782', + '00783', + '00784', + '00785', + '00786', + '00787', + '00788', + '00789', + '00790', + '00791', + '00792', + '00793', + '00794', + '00795', + '00796', + '00797', + '00798', + '00799', + '00800', + '00801', + '00802', + '00803', + '00804', + '00805', + '00806', + '00807', + '00808', + '00809', + '00810', + '00811', + '00812', + '00813', + '00814', + '00815', + '00816', + '00817', + '00818', + '00819', + '00820', + '00821', + '00822', + '00823', + '00824', + '00825', + '00826', + '00827', + '00828', + '00829', + '00830', + '00831', + '00832', + '00833', + '00834', + '00835', + '00836', + '00837', + '00838', + '00839', + '00840', + '00841', + '00842', + '00843', + '00844', + '00845', + '00846', + '00847', + '00848', + '00849', + '00850', + '00851', + '00852', + '00853', + '00854', + '00855', + '00856', + '00857', + '00858', + '00859', + '00860', + '00861', + '00862', + '00863', + '00864', + '00865', + '00866', + '00867', + '00868', + '00869', + '00870', + '00871', + '00872', + '00873', + '00874', + '00875', + '00876', + '00877', + '00878', + '00879', + '00880', + '00881', + '00882', + '00883', + '00884', + '00885', + '00886', + '00887', + '00888', + '00889', + '00890', + '00891', + '00892', + '00893', + '00894', + '00895', + '00896', + '00897', + '00898', + '00899', + '00900', + '00901', + '00902', + '00903', + '00904', + '00905', + '00906', + '00907', + '00908', + '00909', + '00910', + '00911', + '00912', + '00913', + '00914', + '00915', + '00916', + '00917', + '00918', + '00919', + '00920', + '00921', + '00922', + '00923', + '00924', + '00925', + '00926', + '00927', + '00928', + '00929', + '00930', + '00931', + '00932', + '00933', + '00934', + '00935', + '00936', + '00937', + '00938', + '00939', + '00940', + '00941', + '00942', + '00943', + '00944', + '00945', + '00946', + '00947', + '00948', + '00949', + '00950', + '00951', + '00952', + '00953', + '00954', + '00955', + '00956', + '00957', + '00958', + '00959', + '00960', + '00961', + '00962', + '00963', + '00964', + '00965', + '00966', + '00967', + '00968', + '00969', + '00970', + '00971', + '00972', + '00973', + '00974', + '00975', + '00976', + '00977', + '00978', + '00979', + '00980', + '00981', + '00982', + '00983', + '00984', + '00985', + '00986', + '00987', + '00988', + '00989', + '00990', + '00991', + '00992', + '00993', + '00994', + '00995', + '00996', + '00997', + '00998', + '00999', + '01000', + '01001', + '01002', + '01003', + '01004', + '01005', + '01006', + '01007', + '01008', + '01009', + '01010', + '01011', + '01012', + '01013', + '01014', + '01015', + '01016', + '01017', + '01018', + '01019', + '01020', + '01021', + '01022', + '01023', + '01024', + '01025', + '01026', + '01027', + '01028', + '01029', + '01030', + '01031', + '01032', + '01033', + '01034', + '01035', + '01036', + '01037', + '01038', + '01039', + '01040', + '01041', + '01042', + '01043', + '01044', + '01045', + '01046', + '01047', + '01048', + '01049', + '01050', + '01051', + '01052', + '01053', + '01054', + '01055', + '01056', + '01057', + '01058', + '01059', + '01060', + '01061', + '01062', + '01063', + '01064', + '01065', + '01066', + '01067', + '01068', + '01069', + '01070', + '01071', + '01072', + '01073', + '01074', + '01075', + '01076', + '01077', + '01078', + '01079', + '01080', + '01081', + '01082', + '01083', + '01084', + '01085', + '01086', + '01087', + '01088', + '01089', + '01090', + '01091', + '01092', + '01093', + '01094', + '01095', + '01096', + '01097', + '01098', + '01099', + '01100', + '01101', + '01102', + '01103', + '01104', + '01105', + '01106', + '01107', + '01108', + '01109', + '01110', + '01111', + '01112', + '01113', + '01114', + '01115', + '01116', + '01117', + '01118', + '01119', + '01120', + '01121', + '01122', + '01123', + '01124', + '01125', + '01126', + '01127', + '01128', + '01129', + '01130', + '01131', + '01132', + '01133', + '01134', + '01135', + '01136', + '01137', + '01138', + '01139', + '01140', + '01141', + '01142', + '01143', + '01144', + '01145', + '01146', + '01147', + '01148', + '01149', + '01150', + '01151', + '01152', + '01153', + '01154', + '01155', + '01156', + '01157', + '01158', + '01159', + '01160', + '01161', + '01162', + '01163', + '01164', + '01165', + '01166', + '01167', + '01168', + '01169', + '01170', + '01171', + '01172', + '01173', + '01174', + '01175', + '01176', + '01177', + '01178', + '01179', + '01180', + '01181', + '01182', + '01183', + '01184', + '01185', + '01186', + '01187', + '01188', + '01189', + '01190', + '01191', + '01192', + '01193', + '01194', + '01195', + '01196', + '01197', + '01198', + '01199', + '01200', + '01201', + '01202', + '01203', + '01204', + '01205', + '01206', + '01207', + '01208', + '01209', + '01210', + '01211', + '01212', + '01213', + '01214', + '01215', + '01216', + '01217', + '01218', + '01219', + '01220', + '01221', + '01222', + '01223', + '01224', + '01225', + '01226', + '01227', + '01228', + '01229', + '01230', + '01231', + '01232', + '01233', + '01234', + '01235', + '01236', + '01237', + '01238', + '01239', + '01240', + '01241', + '01242', + '01243', + '01244', + '01245', + '01246', + '01247', + '01248', + '01249', + '01250', + '01251', + '01252', + '01253', + '01254', + '01255', + '01256', + '01257', + '01258', + '01259', + '01260', + '01261', + '01262', + '01263', + '01264', + '01265', + '01266', + '01267', + '01268', + '01269', + '01270', + '01271', + '01272', + '01273', + '01274', + '01275', + '01276', + '01277', + '01278', + '01279', + '01280', + '01281', + '01282', + '01283', + '01284', + '01285', + '01286', + '01287', + '01288', + '01289', + '01290', + '01291', + '01292', + '01293', + '01294', + '01295', + '01296', + '01297', + '01298', + '01299', + '01300', + '01301', + '01302', + '01303', + '01304', + '01305', + '01306', + '01307', + '01308', + '01309', + '01310', + '01311', + '01312', + '01313', + '01314', + '01315', + '01316', + '01317', + '01318', + '01319', + '01320', + '01321', + '01322', + '01323', + '01324', + '01325', + '01326', + '01327', + '01328', + '01329', + '01330', + '01331', + '01332', + '01333', + '01334', + '01335', + '01336', + '01337', + '01338', + '01339', + '01340', + '01341', + '01342', + '01343', + '01344', + '01345', + '01346', + '01347', + '01348', + '01349', + '01350', + '01351', + '01352', + '01353', + '01354', + '01355', + '01356', + '01357', + '01358', + '01359', + '01360', + '01361', + '01362', + '01363', + '01364', + '01365', + '01366', + '01367', + '01368', + '01369', + '01370', + '01371', + '01372', + '01373', + '01374', + '01375', + '01376', + '01377', + '01378', + '01379', + '01380', + '01381', + '01382', + '01383', + '01384', + '01385', + '01386', + '01387', + '01388', + '01389', + '01390', + '01391', + '01392', + '01393', + '01394', + '01395', + '01396', + '01397', + '01398', + '01399', + '01400', + '01401', + '01402', + '01403', + '01404', + '01405', + '01406', + '01407', + '01408', + '01409', + '01410', + '01411', + '01412', + '01413', + '01414', + '01415', + '01416', + '01417', + '01418', + '01419', + '01420', + '01421', + '01422', + '01423', + '01424', + '01425', + '01426', + '01427', + '01428', + '01429', + '01430', + '01431', + '01432', + '01433', + '01434', + '01435', + '01436', + '01437', + '01438', + '01439', + '01440', + '01441', + '01442', + '01443', + '01444', + '01445', + '01446', + '01447', + '01448', + '01449', + '01450', + '01451', + '01452', + '01453', + '01454', + '01455', + '01456', + '01457', + '01458', + '01459', + '01460', + '01461', + '01462', + '01463', + '01464', + '01465', + '01466', + '01467', + '01468', + '01469', + '01470', + '01471', + '01472', + '01473', + '01474', + '01475', + '01476', + '01477', + '01478', + '01479', + '01480', + '01481', + '01482', + '01483', + '01484', + '01485', + '01486', + '01487', + '01488', + '01489', + '01490', + '01491', + '01492', + '01493', + '01494', + '01495', + '01496', + '01497', + '01498', + '01499', + '01500', + '01501', + '01502', + '01503', + '01504', + '01505', + '01506', + '01507', + '01508', + '01509', + '01510', + '01511', + '01512', + '01513', + '01514', + '01515', + '01516', + '01517', + '01518', + '01519', + '01520', + '01521', + '01522', + '01523', + '01524', + '01525', + '01526', + '01527', + '01528', + '01529', + '01530', + '01531', + '01532', + '01533', + '01534', + '01535', + '01536', + '01537', + '01538', + '01539', + '01540', + '01541', + '01542', + '01543', + '01544', + '01545', + '01546', + '01547', + '01548', + '01549', + '01550', + '01551', + '01552', + '01553', + '01554', + '01555', + '01556', + '01557', + '01558', + '01559', + '01560', + '01561', + '01562', + '01563', + '01564', + '01565', + '01566', + '01567', + '01568', + '01569', + '01570', + '01571', + '01572', + '01573', + '01574', + '01575', + '01576', + '01577', + '01578', + '01579', + '01580', + '01581', + '01582', + '01583', + '01584', + '01585', + '01586', + '01587', + '01588', + '01589', + '01590', + '01591', + '01592', + '01593', + '01594', + '01595', + '01596', + '01597', + '01598', + '01599', + '01600', + '01601', + '01602', + '01603', + '01604', + '01605', + '01606', + '01607', + '01608', + '01609', + '01610', + '01611', + '01612', + '01613', + '01614', + '01615', + '01616', + '01617', + '01618', + '01619', + '01620', + '01621', + '01622', + '01623', + '01624', + '01625', + '01626', + '01627', + '01628', + '01629', + '01630', + '01631', + '01632', + '01633', + '01634', + '01635', + '01636', + '01637', + '01638', + '01639', + '01640', + '01641', + '01642', + '01643', + '01644', + '01645', + '01646', + '01647', + '01648', + '01649', + '01650', + '01651', + '01652', + '01653', + '01654', + '01655', + '01656', + '01657', + '01658', + '01659', + '01660', + '01661', + '01662', + '01663', + '01664', + '01665', + '01666', + '01667', + '01668', + '01669', + '01670', + '01671', + '01672', + '01673', + '01674', + '01675', + '01676', + '01677', + '01678', + '01679', + '01680', + '01681', + '01682', + '01683', + '01684', + '01685', + '01686', + '01687', + '01688', + '01689', + '01690', + '01691', + '01692', + '01693', + '01694', + '01695', + '01696', + '01697', + '01698', + '01699', + '01700', + '01701', + '01702', + '01703', + '01704', + '01705', + '01706', + '01707', + '01708', + '01709', + '01710', + '01711', + '01712', + '01713', + '01714', + '01715', + '01716', + '01717', + '01718', + '01719', + '01720', + '01721', + '01722', + '01723', + '01724', + '01725', + '01726', + '01727', + '01728', + '01729', + '01730', + '01731', + '01732', + '01733', + '01734', + '01735', + '01736', + '01737', + '01738', + '01739', + '01740', + '01741', + '01742', + '01743', + '01744', + '01745', + '01746', + '01747', + '01748', + '01749', + '01750', + '01751', + '01752', + '01753', + '01754', + '01755', + '01756', + '01757', + '01758', + '01759', + '01760', + '01761', + '01762', + '01763', + '01764', + '01765', + '01766', + '01767', + '01768', + '01769', + '01770', + '01771', + '01772', + '01773', + '01774', + '01775', + '01776', + '01777', + '01778', + '01779', + '01780', + '01781', + '01782', + '01783', + '01784', + '01785', + '01786', + '01787', + '01788', + '01789', + '01790', + '01791', + '01792', + '01793', + '01794', + '01795', + '01796', + '01797', + '01798', + '01799', + '01800', + '01801', + '01802', + '01803', + '01804', + '01805', + '01806', + '01807', + '01808', + '01809', + '01810', + '01811', + '01812', + '01813', + '01814', + '01815', + '01816', + '01817', + '01818', + '01819', + '01820', + '01821', + '01822', + '01823', + '01824', + '01825', + '01826', + '01827', + '01828', + '01829', + '01830', + '01831', + '01832', + '01833', + '01834', + '01835', + '01836', + '01837', + '01838', + '01839', + '01840', + '01841', + '01842', + '01843', + '01844', + '01845', + '01846', + '01847', + '01848', + '01849', + '01850', + '01851', + '01852', + '01853', + '01854', + '01855', + '01856', + '01857', + '01858', + '01859', + '01860', + '01861', + '01862', + '01863', + '01864', + '01865', + '01866', + '01867', + '01868', + '01869', + '01870', + '01871', + '01872', + '01873', + '01874', + '01875', + '01876', + '01877', + '01878', + '01879', + '01880', + '01881', + '01882', + '01883', + '01884', + '01885', + '01886', + '01887', + '01888', + '01889', + '01890', + '01891', + '01892', + '01893', + '01894', + '01895', + '01896', + '01897', + '01898', + '01899', + '01900', + '01901', + '01902', + '01903', + '01904', + '01905', + '01906', + '01907', + '01908', + '01909', + '01910', + '01911', + '01912', + '01913', + '01914', + '01915', + '01916', + '01917', + '01918', + '01919', + '01920', + '01921', + '01922', + '01923', + '01924', + '01925', + '01926', + '01927', + '01928', + '01929', + '01930', + '01931', + '01932', + '01933', + '01934', + '01935', + '01936', + '01937', + '01938', + '01939', + '01940', + '01941', + '01942', + '01943', + '01944', + '01945', + '01946', + '01947', + '01948', + '01949', + '01950', + '01951', + '01952', + '01953', + '01954', + '01955', + '01956', + '01957', + '01958', + '01959', + '01960', + '01961', + '01962', + '01963', + '01964', + '01965', + '01966', + '01967', + '01968', + '01969', + '01970', + '01971', + '01972', + '01973', + '01974', + '01975', + '01976', + '01977', + '01978', + '01979', + '01980', + '01981', + '01982', + '01983', + '01984', + '01985', + '01986', + '01987', + '01988', + '01989', + '01990', + '01991', + '01992', + '01993', + '01994', + '01995', + '01996', + '01997', + '01998', + '01999', + '02000', + '02001', + '02002', + '02003', + '02004', + '02005', + '02006', + '02007', + '02008', + '02009', + '02010', + '02011', + '02012', + '02013', + '02014', + '02015', + '02016', + '02017', + '02018', + '02019', + '02020', + '02021', + '02022', + '02023', + '02024', + '02025', + '02026', + '02027', + '02028', + '02029', + '02030', + '02031', + '02032', + '02033', + '02034', + '02035', + '02036', + '02037', + '02038', + '02039', + '02040', + '02041', + '02042', + '02043', + '02044', + '02045', + '02046', + '02047', + '02048', + '02049', + '02050', + '02051', + '02052', + '02053', + '02054', + '02055', + '02056', + '02057', + '02058', + '02059', + '02060', + '02061', + '02062', + '02063', + '02064', + '02065', + '02066', + '02067', + '02068', + '02069', + '02070', + '02071', + '02072', + '02073', + '02074', + '02075', + '02076', + '02077', + '02078', + '02079', + '02080', + '02081', + '02082', + '02083', + '02084', + '02085', + '02086', + '02087', + '02088', + '02089', + '02090', + '02091', + '02092', + '02093', + '02094', + '02095', + '02096', + '02097', + '02098', + '02099', + '02100', + '02101', + '02102', + '02103', + '02104', + '02105', + '02106', + '02107', + '02108', + '02109', + '02110', + '02111', + '02112', + '02113', + '02114', + '02115', + '02116', + '02117', + '02118', + '02119', + '02120', + '02121', + '02122', + '02123', + '02124', + '02125', + '02126', + '02127', + '02128', + '02129', + '02130', + '02131', + '02132', + '02133', + '02134', + '02135', + '02136', + '02137', + '02138', + '02139', + '02140', + '02141', + '02142', + '02143', + '02144', + '02145', + '02146', + '02147', + '02148', + '02149', + '02150', + '02151', + '02152', + '02153', + '02154', + '02155', + '02156', + '02157', + '02158', + '02159', + '02160', + '02161', + '02162', + '02163', + '02164', + '02165', + '02166', + '02167', + '02168', + '02169', + '02170', + '02171', + '02172', + '02173', + '02174', + '02175', + '02176', + '02177', + '02178', + '02179', + '02180', + '02181', + '02182', + '02183', + '02184', + '02185', + '02186', + '02187', + '02188', + '02189', + '02190', + '02191', + '02192', + '02193', + '02194', + '02195', + '02196', + '02197', + '02198', + '02199', + '02200', + '02201', + '02202', + '02203', + '02204', + '02205', + '02206', + '02207', + '02208', + '02209', + '02210', + '02211', + '02212', + '02213', + '02214', + '02215', + '02216', + '02217', + '02218', + '02219', + '02220', + '02221', + '02222', + '02223', + '02224', + '02225', + '02226', + '02227', + '02228', + '02229', + '02230', + '02231', + '02232', + '02233', + '02234', + '02235', + '02236', + '02237', + '02238', + '02239', + '02240', + '02241', + '02242', + '02243', + '02244', + '02245', + '02246', + '02247', + '02248', + '02249', + '02250', + '02251', + '02252', + '02253', + '02254', + '02255', + '02256', + '02257', + '02258', + '02259', + '02260', + '02261', + '02262', + '02263', + '02264', + '02265', + '02266', + '02267', + '02268', + '02269', + '02270', + '02271', + '02272', + '02273', + '02274', + '02275', + '02276', + '02277', + '02278', + '02279', + '02280', + '02281', + '02282', + '02283', + '02284', + '02285', + '02286', + '02287', + '02288', + '02289', + '02290', + '02291', + '02292', + '02293', + '02294', + '02295', + '02296', + '02297', + '02298', + '02299', + '02300', + '02301', + '02302', + '02303', + '02304', + '02305', + '02306', + '02307', + '02308', + '02309', + '02310', + '02311', + '02312', + '02313', + '02314', + '02315', + '02316', + '02317', + '02318', + '02319', + '02320', + '02321', + '02322', + '02323', + '02324', + '02325', + '02326', + '02327', + '02328', + '02329', + '02330', + '02331', + '02332', + '02333', + '02334', + '02335', + '02336', + '02337', + '02338', + '02339', + '02340', + '02341', + '02342', + '02343', + '02344', + '02345', + '02346', + '02347', + '02348', + '02349', + '02350', + '02351', + '02352', + '02353', + '02354', + '02355', + '02356', + '02357', + '02358', + '02359', + '02360', + '02361', + '02362', + '02363', + '02364', + '02365', + '02366', + '02367', + '02368', + '02369', + '02370', + '02371', + '02372', + '02373', + '02374', + '02375', + '02376', + '02377', + '02378', + '02379', + '02380', + '02381', + '02382', + '02383', + '02384', + '02385', + '02386', + '02387', + '02388', + '02389', + '02390', + '02391', + '02392', + '02393', + '02394', + '02395', + '02396', + '02397', + '02398', + '02399', + '02400', + '02401', + '02402', + '02403', + '02404', + '02405', + '02406', + '02407', + '02408', + '02409', + '02410', + '02411', + '02412', + '02413', + '02414', + '02415', + '02416', + '02417', + '02418', + '02419', + '02420', + '02421', + '02422', + '02423', + '02424', + '02425', + '02426', + '02427', + '02428', + '02429', + '02430', + '02431', + '02432', + '02433', + '02434', + '02435', + '02436', + '02437', + '02438', + '02439', + '02440', + '02441', + '02442', + '02443', + '02444', + '02445', + '02446', + '02447', + '02448', + '02449', + '02450', + '02451', + '02452', + '02453', + '02454', + '02455', + '02456', + '02457', + '02458', + '02459', + '02460', + '02461', + '02462', + '02463', + '02464', + '02465', + '02466', + '02467', + '02468', + '02469', + '02470', + '02471', + '02472', + '02473', + '02474', + '02475', + '02476', + '02477', + '02478', + '02479', + '02480', + '02481', + '02482', + '02483', + '02484', + '02485', + '02486', + '02487', + '02488', + '02489', + '02490', + '02491', + '02492', + '02493', + '02494', + '02495', + '02496', + '02497', + '02498', + '02499', + '02500', + '02501', + '02502', + '02503', + '02504', + '02505', + '02506', + '02507', + '02508', + '02509', + '02510', + '02511', + '02512', + '02513', + '02514', + '02515', + '02516', + '02517', + '02518', + '02519', + '02520', + '02521', + '02522', + '02523', + '02524', + '02525', + '02526', + '02527', + '02528', + '02529', + '02530', + '02531', + '02532', + '02533', + '02534', + '02535', + '02536', + '02537', + '02538', + '02539', + '02540', + '02541', + '02542', + '02543', + '02544', + '02545', + '02546', + '02547', + '02548', + '02549', + '02550', + '02551', + '02552', + '02553', + '02554', + '02555', + '02556', + '02557', + '02558', + '02559', + '02560', + '02561', + '02562', + '02563', + '02564', + '02565', + '02566', + '02567', + '02568', + '02569', + '02570', + '02571', + '02572', + '02573', + '02574', + '02575', + '02576', + '02577', + '02578', + '02579', + '02580', + '02581', + '02582', + '02583', + '02584', + '02585', + '02586', + '02587', + '02588', + '02589', + '02590', + '02591', + '02592', + '02593', + '02594', + '02595', + '02596', + '02597', + '02598', + '02599', + '02600', + '02601', + '02602', + '02603', + '02604', + '02605', + '02606', + '02607', + '02608', + '02609', + '02610', + '02611', + '02612', + '02613', + '02614', + '02615', + '02616', + '02617', + '02618', + '02619', + '02620', + '02621', + '02622', + '02623', + '02624', + '02625', + '02626', + '02627', + '02628', + '02629', + '02630', + '02631', + '02632', + '02633', + '02634', + '02635', + '02636', + '02637', + '02638', + '02639', + '02640', + '02641', + '02642', + '02643', + '02644', + '02645', + '02646', + '02647', + '02648', + '02649', + '02650', + '02651', + '02652', + '02653', + '02654', + '02655', + '02656', + '02657', + '02658', + '02659', + '02660', + '02661', + '02662', + '02663', + '02664', + '02665', + '02666', + '02667', + '02668', + '02669', + '02670', + '02671', + '02672', + '02673', + '02674', + '02675', + '02676', + '02677', + '02678', + '02679', + '02680', + '02681', + '02682', + '02683', + '02684', + '02685', + '02686', + '02687', + '02688', + '02689', + '02690', + '02691', + '02692', + '02693', + '02694', + '02695', + '02696', + '02697', + '02698', + '02699', + '02700', + '02701', + '02702', + '02703', + '02704', + '02705', + '02706', + '02707', + '02708', + '02709', + '02710', + '02711', + '02712', + '02713', + '02714', + '02715', + '02716', + '02717', + '02718', + '02719', + '02720', + '02721', + '02722', + '02723', + '02724', + '02725', + '02726', + '02727', + '02728', + '02729', + '02730', + '02731', + '02732', + '02733', + '02734', + '02735', + '02736', + '02737', + '02738', + '02739', + '02740', + '02741', + '02742', + '02743', + '02744', + '02745', + '02746', + '02747', + '02748', + '02749', + '02750', + '02751', + '02752', + '02753', + '02754', + '02755', + '02756', + '02757', + '02758', + '02759', + '02760', + '02761', + '02762', + '02763', + '02764', + '02765', + '02766', + '02767', + '02768', + '02769', + '02770', + '02771', + '02772', + '02773', + '02774', + '02775', + '02776', + '02777', + '02778', + '02779', + '02780', + '02781', + '02782', + '02783', + '02784', + '02785', + '02786', + '02787', + '02788', + '02789', + '02790', + '02791', + '02792', + '02793', + '02794', + '02795', + '02796', + '02797', + '02798', + '02799', + '02800', + '02801', + '02802', + '02803', + '02804', + '02805', + '02806', + '02807', + '02808', + '02809', + '02810', + '02811', + '02812', + '02813', + '02814', + '02815', + '02816', + '02817', + '02818', + '02819', + '02820', + '02821', + '02822', + '02823', + '02824', + '02825', + '02826', + '02827', + '02828', + '02829', + '02830', + '02831', + '02832', + '02833', + '02834', + '02835', + '02836', + '02837', + '02838', + '02839', + '02840', + '02841', + '02842', + '02843', + '02844', + '02845', + '02846', + '02847', + '02848', + '02849', + '02850', + '02851', + '02852', + '02853', + '02854', + '02855', + '02856', + '02857', + '02858', + '02859', + '02860', + '02861', + '02862', + '02863', + '02864', + '02865', + '02866', + '02867', + '02868', + '02869', + '02870', + '02871', + '02872', + '02873', + '02874', + '02875', + '02876', + '02877', + '02878', + '02879', + '02880', + '02881', + '02882', + '02883', + '02884', + '02885', + '02886', + '02887', + '02888', + '02889', + '02890', + '02891', + '02892', + '02893', + '02894', + '02895', + '02896', + '02897', + '02898', + '02899', + '02900', + '02901', + '02902', + '02903', + '02904', + '02905', + '02906', + '02907', + '02908', + '02909', + '02910', + '02911', + '02912', + '02913', + '02914', + '02915', + '02916', + '02917', + '02918', + '02919', + '02920', + '02921', + '02922', + '02923', + '02924', + '02925', + '02926', + '02927', + '02928', + '02929', + '02930', + '02931', + '02932', + '02933', + '02934', + '02935', + '02936', + '02937', + '02938', + '02939', + '02940', + '02941', + '02942', + '02943', + '02944', + '02945', + '02946', + '02947', + '02948', + '02949', + '02950', + '02951', + '02952', + '02953', + '02954', + '02955', + '02956', + '02957', + '02958', + '02959', + '02960', + '02961', + '02962', + '02963', + '02964', + '02965', + '02966', + '02967', + '02968', + '02969', + '02970', + '02971', + '02972', + '02973', + '02974', + '02975', + '02976', + '02977', + '02978', + '02979', + '02980', + '02981', + '02982', + '02983', + '02984', + '02985', + '02986', + '02987', + '02988', + '02989', + '02990', + '02991', + '02992', + '02993', + '02994', + '02995', + '02996', + '02997', + '02998', + '02999', + '03000', + '03001', + '03002', + '03003', + '03004', + '03005', + '03006', + '03007', + '03008', + '03009', + '03010', + '03011', + '03012', + '03013', + '03014', + '03015', + '03016', + '03017', + '03018', + '03019', + '03020', + '03021', + '03022', + '03023', + '03024', + '03025', + '03026', + '03027', + '03028', + '03029', + '03030', + '03031', + '03032', + '03033', + '03034', + '03035', + '03036', + '03037', + '03038', + '03039', + '03040', + '03041', + '03042', + '03043', + '03044', + '03045', + '03046', + '03047', + '03048', + '03049', + '03050', + '03051', + '03052', + '03053', + '03054', + '03055', + '03056', + '03057', + '03058', + '03059', + '03060', + '03061', + '03062', + '03063', + '03064', + '03065', + '03066', + '03067', + '03068', + '03069', + '03070', + '03071', + '03072', + '03073', + '03074', + '03075', + '03076', + '03077', + '03078', + '03079', + '03080', + '03081', + '03082', + '03083', + '03084', + '03085', + '03086', + '03087', + '03088', + '03089', + '03090', + '03091', + '03092', + '03093', + '03094', + '03095', + '03096', + '03097', + '03098', + '03099', + '03100', + '03101', + '03102', + '03103', + '03104', + '03105', + '03106', + '03107', + '03108', + '03109', + '03110', + '03111', + '03112', + '03113', + '03114', + '03115', + '03116', + '03117', + '03118', + '03119', + '03120', + '03121', + '03122', + '03123', + '03124', + '03125', + '03126', + '03127', + '03128', + '03129', + '03130', + '03131', + '03132', + '03133', + '03134', + '03135', + '03136', + '03137', + '03138', + '03139', + '03140', + '03141', + '03142', + '03143', + '03144', + '03145', + '03146', + '03147', + '03148', + '03149', + '03150', + '03151', + '03152', + '03153', + '03154', + '03155', + '03156', + '03157', + '03158', + '03159', + '03160', + '03161', + '03162', + '03163', + '03164', + '03165', + '03166', + '03167', + '03168', + '03169', + '03170', + '03171', + '03172', + '03173', + '03174', + '03175', + '03176', + '03177', + '03178', + '03179', + '03180', + '03181', + '03182', + '03183', + '03184', + '03185', + '03186', + '03187', + '03188', + '03189', + '03190', + '03191', + '03192', + '03193', + '03194', + '03195', + '03196', + '03197', + '03198', + '03199', + '03200', + '03201', + '03202', + '03203', + '03204', + '03205', + '03206', + '03207', + '03208', + '03209', + '03210', + '03211', + '03212', + '03213', + '03214', + '03215', + '03216', + '03217', + '03218', + '03219', + '03220', + '03221', + '03222', + '03223', + '03224', + '03225', + '03226', + '03227', + '03228', + '03229', + '03230', + '03231', + '03232', + '03233', + '03234', + '03235', + '03236', + '03237', + '03238', + '03239', + '03240', + '03241', + '03242', + '03243', + '03244', + '03245', + '03246', + '03247', + '03248', + '03249', + '03250', + '03251', + '03252', + '03253', + '03254', + '03255', + '03256', + '03257', + '03258', + '03259', + '03260', + '03261', + '03262', + '03263', + '03264', + '03265', + '03266', + '03267', + '03268', + '03269', + '03270', + '03271', + '03272', + '03273', + '03274', + '03275', + '03276', + '03277', + '03278', + '03279', + '03280', + '03281', + '03282', + '03283', + '03284', + '03285', + '03286', + '03287', + '03288', + '03289', + '03290', + '03291', + '03292', + '03293', + '03294', + '03295', + '03296', + '03297', + '03298', + '03299', + '03300', + '03301', + '03302', + '03303', + '03304', + '03305', + '03306', + '03307', + '03308', + '03309', + '03310', + '03311', + '03312', + '03313', + '03314', + '03315', + '03316', + '03317', + '03318', + '03319', + '03320', + '03321', + '03322', + '03323', + '03324', + '03325', + '03326', + '03327', + '03328', + '03329', + '03330', + '03331', + '03332', + '03333', + '03334', + '03335', + '03336', + '03337', + '03338', + '03339', + '03340', + '03341', + '03342', + '03343', + '03344', + '03345', + '03346', + '03347', + '03348', + '03349', + '03350', + '03351', + '03352', + '03353', + '03354', + '03355', + '03356', + '03357', + '03358', + '03359', + '03360', + '03361', + '03362', + '03363', + '03364', + '03365', + '03366', + '03367', + '03368', + '03369', + '03370', + '03371', + '03372', + '03373', + '03374', + '03375', + '03376', + '03377', + '03378', + '03379', + '03380', + '03381', + '03382', + '03383', + '03384', + '03385', + '03386', + '03387', + '03388', + '03389', + '03390', + '03391', + '03392', + '03393', + '03394', + '03395', + '03396', + '03397', + '03398', + '03399', + '03400', + '03401', + '03402', + '03403', + '03404', + '03405', + '03406', + '03407', + '03408', + '03409', + '03410', + '03411', + '03412', + '03413', + '03414', + '03415', + '03416', + '03417', + '03418', + '03419', + '03420', + '03421', + '03422', + '03423', + '03424', + '03425', + '03426', + '03427', + '03428', + '03429', + '03430', + '03431', + '03432', + '03433', + '03434', + '03435', + '03436', + '03437', + '03438', + '03439', + '03440', + '03441', + '03442', + '03443', + '03444', + '03445', + '03446', + '03447', + '03448', + '03449', + '03450', + '03451', + '03452', + '03453', + '03454', + '03455', + '03456', + '03457', + '03458', + '03459', + '03460', + '03461', + '03462', + '03463', + '03464', + '03465', + '03466', + '03467', + '03468', + '03469', + '03470', + '03471', + '03472', + '03473', + '03474', + '03475', + '03476', + '03477', + '03478', + '03479', + '03480', + '03481', + '03482', + '03483', + '03484', + '03485', + '03486', + '03487', + '03488', + '03489', + '03490', + '03491', + '03492', + '03493', + '03494', + '03495', + '03496', + '03497', + '03498', + '03499', + '03500', + '03501', + '03502', + '03503', + '03504', + '03505', + '03506', + '03507', + '03508', + '03509', + '03510', + '03511', + '03512', + '03513', + '03514', + '03515', + '03516', + '03517', + '03518', + '03519', + '03520', + '03521', + '03522', + '03523', + '03524', + '03525', + '03526', + '03527', + '03528', + '03529', + '03530', + '03531', + '03532', + '03533', + '03534', + '03535', + '03536', + '03537', + '03538', + '03539', + '03540', + '03541', + '03542', + '03543', + '03544', + '03545', + '03546', + '03547', + '03548', + '03549', + '03550', + '03551', + '03552', + '03553', + '03554', + '03555', + '03556', + '03557', + '03558', + '03559', + '03560', + '03561', + '03562', + '03563', + '03564', + '03565', + '03566', + '03567', + '03568', + '03569', + '03570', + '03571', + '03572', + '03573', + '03574', + '03575', + '03576', + '03577', + '03578', + '03579', + '03580', + '03581', + '03582', + '03583', + '03584', + '03585', + '03586', + '03587', + '03588', + '03589', + '03590', + '03591', + '03592', + '03593', + '03594', + '03595', + '03596', + '03597', + '03598', + '03599', + '03600', + '03601', + '03602', + '03603', + '03604', + '03605', + '03606', + '03607', + '03608', + '03609', + '03610', + '03611', + '03612', + '03613', + '03614', + '03615', + '03616', + '03617', + '03618', + '03619', + '03620', + '03621', + '03622', + '03623', + '03624', + '03625', + '03626', + '03627', + '03628', + '03629', + '03630', + '03631', + '03632', + '03633', + '03634', + '03635', + '03636', + '03637', + '03638', + '03639', + '03640', + '03641', + '03642', + '03643', + '03644', + '03645', + '03646', + '03647', + '03648', + '03649', + '03650', + '03651', + '03652', + '03653', + '03654', + '03655', + '03656', + '03657', + '03658', + '03659', + '03660', + '03661', + '03662', + '03663', + '03664', + '03665', + '03666', + '03667', + '03668', + '03669', + '03670', + '03671', + '03672', + '03673', + '03674', + '03675', + '03676', + '03677', + '03678', + '03679', + '03680', + '03681', + '03682', + '03683', + '03684', + '03685', + '03686', + '03687', + '03688', + '03689', + '03690', + '03691', + '03692', + '03693', + '03694', + '03695', + '03696', + '03697', + '03698', + '03699', + '03700', + '03701', + '03702', + '03703', + '03704', + '03705', + '03706', + '03707', + '03708', + '03709', + '03710', + '03711', + '03712', + '03713', + '03714', + '03715', + '03716', + '03717', + '03718', + '03719', + '03720', + '03721', + '03722', + '03723', + '03724', + '03725', + '03726', + '03727', + '03728', + '03729', + '03730', + '03731', + '03732', + '03733', + '03734', + '03735', + '03736', + '03737', + '03738', + '03739', + '03740', + '03741', + '03742', + '03743', + '03744', + '03745', + '03746', + '03747', + '03748', + '03749', + '03750', + '03751', + '03752', + '03753', + '03754', + '03755', + '03756', + '03757', + '03758', + '03759', + '03760', + '03761', + '03762', + '03763', + '03764', + '03765', + '03766', + '03767', + '03768', + '03769', + '03770', + '03771', + '03772', + '03773', + '03774', + '03775', + '03776', + '03777', + '03778', + '03779', + '03780', + '03781', + '03782', + '03783', + '03784', + '03785', + '03786', + '03787', + '03788', + '03789', + '03790', + '03791', + '03792', + '03793', + '03794', + '03795', + '03796', + '03797', + '03798', + '03799', + '03800', + '03801', + '03802', + '03803', + '03804', + '03805', + '03806', + '03807', + '03808', + '03809', + '03810', + '03811', + '03812', + '03813', + '03814', + '03815', + '03816', + '03817', + '03818', + '03819', + '03820', + '03821', + '03822', + '03823', + '03824', + '03825', + '03826', + '03827', + '03828', + '03829', + '03830', + '03831', + '03832', + '03833', + '03834', + '03835', + '03836', + '03837', + '03838', + '03839', + '03840', + '03841', + '03842', + '03843', + '03844', + '03845', + '03846', + '03847', + '03848', + '03849', + '03850', + '03851', + '03852', + '03853', + '03854', + '03855', + '03856', + '03857', + '03858', + '03859', + '03860', + '03861', + '03862', + '03863', + '03864', + '03865', + '03866', + '03867', + '03868', + '03869', + '03870', + '03871', + '03872', + '03873', + '03874', + '03875', + '03876', + '03877', + '03878', + '03879', + '03880', + '03881', + '03882', + '03883', + '03884', + '03885', + '03886', + '03887', + '03888', + '03889', + '03890', + '03891', + '03892', + '03893', + '03894', + '03895', + '03896', + '03897', + '03898', + '03899', + '03900', + '03901', + '03902', + '03903', + '03904', + '03905', + '03906', + '03907', + '03908', + '03909', + '03910', + '03911', + '03912', + '03913', + '03914', + '03915', + '03916', + '03917', + '03918', + '03919', + '03920', + '03921', + '03922', + '03923', + '03924', + '03925', + '03926', + '03927', + '03928', + '03929', + '03930', + '03931', + '03932', + '03933', + '03934', + '03935', + '03936', + '03937', + '03938', + '03939', + '03940', + '03941', + '03942', + '03943', + '03944', + '03945', + '03946', + '03947', + '03948', + '03949', + '03950', + '03951', + '03952', + '03953', + '03954', + '03955', + '03956', + '03957', + '03958', + '03959', + '03960', + '03961', + '03962', + '03963', + '03964', + '03965', + '03966', + '03967', + '03968', + '03969', + '03970', + '03971', + '03972', + '03973', + '03974', + '03975', + '03976', + '03977', + '03978', + '03979', + '03980', + '03981', + '03982', + '03983', + '03984', + '03985', + '03986', + '03987', + '03988', + '03989', + '03990', + '03991', + '03992', + '03993', + '03994', + '03995', + '03996', + '03997', + '03998', + '03999', + '04000', + '04001', + '04002', + '04003', + '04004', + '04005', + '04006', + '04007', + '04008', + '04009', + '04010', + '04011', + '04012', + '04013', + '04014', + '04015', + '04016', + '04017', + '04018', + '04019', + '04020', + '04021', + '04022', + '04023', + '04024', + '04025', + '04026', + '04027', + '04028', + '04029', + '04030', + '04031', + '04032', + '04033', + '04034', + '04035', + '04036', + '04037', + '04038', + '04039', + '04040', + '04041', + '04042', + '04043', + '04044', + '04045', + '04046', + '04047', + '04048', + '04049', + '04050', + '04051', + '04052', + '04053', + '04054', + '04055', + '04056', + '04057', + '04058', + '04059', + '04060', + '04061', + '04062', + '04063', + '04064', + '04065', + '04066', + '04067', + '04068', + '04069', + '04070', + '04071', + '04072', + '04073', + '04074', + '04075', + '04076', + '04077', + '04078', + '04079', + '04080', + '04081', + '04082', + '04083', + '04084', + '04085', + '04086', + '04087', + '04088', + '04089', + '04090', + '04091', + '04092', + '04093', + '04094', + '04095', + '04096', + '04097', + '04098', + '04099', + '04100', + '04101', + '04102', + '04103', + '04104', + '04105', + '04106', + '04107', + '04108', + '04109', + '04110', + '04111', + '04112', + '04113', + '04114', + '04115', + '04116', + '04117', + '04118', + '04119', + '04120', + '04121', + '04122', + '04123', + '04124', + '04125', + '04126', + '04127', + '04128', + '04129', + '04130', + '04131', + '04132', + '04133', + '04134', + '04135', + '04136', + '04137', + '04138', + '04139', + '04140', + '04141', + '04142', + '04143', + '04144', + '04145', + '04146', + '04147', + '04148', + '04149', + '04150', + '04151', + '04152', + '04153', + '04154', + '04155', + '04156', + '04157', + '04158', + '04159', + '04160', + '04161', + '04162', + '04163', + '04164', + '04165', + '04166', + '04167', + '04168', + '04169', + '04170', + '04171', + '04172', + '04173', + '04174', + '04175', + '04176', + '04177', + '04178', + '04179', + '04180', + '04181', + '04182', + '04183', + '04184', + '04185', + '04186', + '04187', + '04188', + '04189', + '04190', + '04191', + '04192', + '04193', + '04194', + '04195', + '04196', + '04197', + '04198', + '04199', + '04200', + '04201', + '04202', + '04203', + '04204', + '04205', + '04206', + '04207', + '04208', + '04209', + '04210', + '04211', + '04212', + '04213', + '04214', + '04215', + '04216', + '04217', + '04218', + '04219', + '04220', + '04221', + '04222', + '04223', + '04224', + '04225', + '04226', + '04227', + '04228', + '04229', + '04230', + '04231', + '04232', + '04233', + '04234', + '04235', + '04236', + '04237', + '04238', + '04239', + '04240', + '04241', + '04242', + '04243', + '04244', + '04245', + '04246', + '04247', + '04248', + '04249', + '04250', + '04251', + '04252', + '04253', + '04254', + '04255', + '04256', + '04257', + '04258', + '04259', + '04260', + '04261', + '04262', + '04263', + '04264', + '04265', + '04266', + '04267', + '04268', + '04269', + '04270', + '04271', + '04272', + '04273', + '04274', + '04275', + '04276', + '04277', + '04278', + '04279', + '04280', + '04281', + '04282', + '04283', + '04284', + '04285', + '04286', + '04287', + '04288', + '04289', + '04290', + '04291', + '04292', + '04293', + '04294', + '04295', + '04296', + '04297', + '04298', + '04299', + '04300', + '04301', + '04302', + '04303', + '04304', + '04305', + '04306', + '04307', + '04308', + '04309', + '04310', + '04311', + '04312', + '04313', + '04314', + '04315', + '04316', + '04317', + '04318', + '04319', + '04320', + '04321', + '04322', + '04323', + '04324', + '04325', + '04326', + '04327', + '04328', + '04329', + '04330', + '04331', + '04332', + '04333', + '04334', + '04335', + '04336', + '04337', + '04338', + '04339', + '04340', + '04341', + '04342', + '04343', + '04344', + '04345', + '04346', + '04347', + '04348', + '04349', + '04350', + '04351', + '04352', + '04353', + '04354', + '04355', + '04356', + '04357', + '04358', + '04359', + '04360', + '04361', + '04362', + '04363', + '04364', + '04365', + '04366', + '04367', + '04368', + '04369', + '04370', + '04371', + '04372', + '04373', + '04374', + '04375', + '04376', + '04377', + '04378', + '04379', + '04380', + '04381', + '04382', + '04383', + '04384', + '04385', + '04386', + '04387', + '04388', + '04389', + '04390', + '04391', + '04392', + '04393', + '04394', + '04395', + '04396', + '04397', + '04398', + '04399', + '04400', + '04401', + '04402', + '04403', + '04404', + '04405', + '04406', + '04407', + '04408', + '04409', + '04410', + '04411', + '04412', + '04413', + '04414', + '04415', + '04416', + '04417', + '04418', + '04419', + '04420', + '04421', + '04422', + '04423', + '04424', + '04425', + '04426', + '04427', + '04428', + '04429', + '04430', + '04431', + '04432', + '04433', + '04434', + '04435', + '04436', + '04437', + '04438', + '04439', + '04440', + '04441', + '04442', + '04443', + '04444', + '04445', + '04446', + '04447', + '04448', + '04449', + '04450', + '04451', + '04452', + '04453', + '04454', + '04455', + '04456', + '04457', + '04458', + '04459', + '04460', + '04461', + '04462', + '04463', + '04464', + '04465', + '04466', + '04467', + '04468', + '04469', + '04470', + '04471', + '04472', + '04473', + '04474', + '04475', + '04476', + '04477', + '04478', + '04479', + '04480', + '04481', + '04482', + '04483', + '04484', + '04485', + '04486', + '04487', + '04488', + '04489', + '04490', + '04491', + '04492', + '04493', + '04494', + '04495', + '04496', + '04497', + '04498', + '04499', + '04500', + '04501', + '04502', + '04503', + '04504', + '04505', + '04506', + '04507', + '04508', + '04509', + '04510', + '04511', + '04512', + '04513', + '04514', + '04515', + '04516', + '04517', + '04518', + '04519', + '04520', + '04521', + '04522', + '04523', + '04524', + '04525', + '04526', + '04527', + '04528', + '04529', + '04530', + '04531', + '04532', + '04533', + '04534', + '04535', + '04536', + '04537', + '04538', + '04539', + '04540', + '04541', + '04542', + '04543', + '04544', + '04545', + '04546', + '04547', + '04548', + '04549', + '04550', + '04551', + '04552', + '04553', + '04554', + '04555', + '04556', + '04557', + '04558', + '04559', + '04560', + '04561', + '04562', + '04563', + '04564', + '04565', + '04566', + '04567', + '04568', + '04569', + '04570', + '04571', + '04572', + '04573', + '04574', + '04575', + '04576', + '04577', + '04578', + '04579', + '04580', + '04581', + '04582', + '04583', + '04584', + '04585', + '04586', + '04587', + '04588', + '04589', + '04590', + '04591', + '04592', + '04593', + '04594', + '04595', + '04596', + '04597', + '04598', + '04599', + '04600', + '04601', + '04602', + '04603', + '04604', + '04605', + '04606', + '04607', + '04608', + '04609', + '04610', + '04611', + '04612', + '04613', + '04614', + '04615', + '04616', + '04617', + '04618', + '04619', + '04620', + '04621', + '04622', + '04623', + '04624', + '04625', + '04626', + '04627', + '04628', + '04629', + '04630', + '04631', + '04632', + '04633', + '04634', + '04635', + '04636', + '04637', + '04638', + '04639', + '04640', + '04641', + '04642', + '04643', + '04644', + '04645', + '04646', + '04647', + '04648', + '04649', + '04650', + '04651', + '04652', + '04653', + '04654', + '04655', + '04656', + '04657', + '04658', + '04659', + '04660', + '04661', + '04662', + '04663', + '04664', + '04665', + '04666', + '04667', + '04668', + '04669', + '04670', + '04671', + '04672', + '04673', + '04674', + '04675', + '04676', + '04677', + '04678', + '04679', + '04680', + '04681', + '04682', + '04683', + '04684', + '04685', + '04686', + '04687', + '04688', + '04689', + '04690', + '04691', + '04692', + '04693', + '04694', + '04695', + '04696', + '04697', + '04698', + '04699', + '04700', + '04701', + '04702', + '04703', + '04704', + '04705', + '04706', + '04707', + '04708', + '04709', + '04710', + '04711', + '04712', + '04713', + '04714', + '04715', + '04716', + '04717', + '04718', + '04719', + '04720', + '04721', + '04722', + '04723', + '04724', + '04725', + '04726', + '04727', + '04728', + '04729', + '04730', + '04731', + '04732', + '04733', + '04734', + '04735', + '04736', + '04737', + '04738', + '04739', + '04740', + '04741', + '04742', + '04743', + '04744', + '04745', + '04746', + '04747', + '04748', + '04749', + '04750', + '04751', + '04752', + '04753', + '04754', + '04755', + '04756', + '04757', + '04758', + '04759', + '04760', + '04761', + '04762', + '04763', + '04764', + '04765', + '04766', + '04767', + '04768', + '04769', + '04770', + '04771', + '04772', + '04773', + '04774', + '04775', + '04776', + '04777', + '04778', + '04779', + '04780', + '04781', + '04782', + '04783', + '04784', + '04785', + '04786', + '04787', + '04788', + '04789', + '04790', + '04791', + '04792', + '04793', + '04794', + '04795', + '04796', + '04797', + '04798', + '04799', + '04800', + '04801', + '04802', + '04803', + '04804', + '04805', + '04806', + '04807', + '04808', + '04809', + '04810', + '04811', + '04812', + '04813', + '04814', + '04815', + '04816', + '04817', + '04818', + '04819', + '04820', + '04821', + '04822', + '04823', + '04824', + '04825', + '04826', + '04827', + '04828', + '04829', + '04830', + '04831', + '04832', + '04833', + '04834', + '04835', + '04836', + '04837', + '04838', + '04839', + '04840', + '04841', + '04842', + '04843', + '04844', + '04845', + '04846', + '04847', + '04848', + '04849', + '04850', + '04851', + '04852', + '04853', + '04854', + '04855', + '04856', + '04857', + '04858', + '04859', + '04860', + '04861', + '04862', + '04863', + '04864', + '04865', + '04866', + '04867', + '04868', + '04869', + '04870', + '04871', + '04872', + '04873', + '04874', + '04875', + '04876', + '04877', + '04878', + '04879', + '04880', + '04881', + '04882', + '04883', + '04884', + '04885', + '04886', + '04887', + '04888', + '04889', + '04890', + '04891', + '04892', + '04893', + '04894', + '04895', + '04896', + '04897', + '04898', + '04899', + '04900', + '04901', + '04902', + '04903', + '04904', + '04905', + '04906', + '04907', + '04908', + '04909', + '04910', + '04911', + '04912', + '04913', + '04914', + '04915', + '04916', + '04917', + '04918', + '04919', + '04920', + '04921', + '04922', + '04923', + '04924', + '04925', + '04926', + '04927', + '04928', + '04929', + '04930', + '04931', + '04932', + '04933', + '04934', + '04935', + '04936', + '04937', + '04938', + '04939', + '04940', + '04941', + '04942', + '04943', + '04944', + '04945', + '04946', + '04947', + '04948', + '04949', + '04950', + '04951', + '04952', + '04953', + '04954', + '04955', + '04956', + '04957', + '04958', + '04959', + '04960', + '04961', + '04962', + '04963', + '04964', + '04965', + '04966', + '04967', + '04968', + '04969', + '04970', + '04971', + '04972', + '04973', + '04974', + '04975', + '04976', + '04977', + '04978', + '04979', + '04980', + '04981', + '04982', + '04983', + '04984', + '04985', + '04986', + '04987', + '04988', + '04989', + '04990', + '04991', + '04992', + '04993', + '04994', + '04995', + '04996', + '04997', + '04998', + '04999', + '05000']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-TEST-last-affected-01', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['https://osv-test/repo/url'], + 'public': True, + 'purl': [], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '01', + 'affected', + 'affected-01', + 'git', + 'https', + 'https://osv-test/repo/url', + 'last', + 'last-affected', + 'last-affected-01', + 'osv', + 'osv-test', + 'osv-test-last', + 'osv-test-last-affected', + 'osv-test-last-affected-01', + 'osv-test/repo/url', + 'repo', + 'test', + 'test-last', + 'test-last-affected', + 'test-last-affected-01', + 'url'], + 'search_tags': ['https://osv-test/repo/url', 'osv-test-last-affected-01'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-TEST-last-affected-01.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_last_affected_git.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_last_affected_git.txt new file mode 100644 index 00000000000..f3b59017be9 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_last_affected_git.txt @@ -0,0 +1,66 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '0-2'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'last_affected', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': ['v0.1.1', 'v0.2']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-TEST-last-affected-01', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': [], + 'public': True, + 'purl': [], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '01', + 'affected', + 'affected-01', + 'git', + 'https://osv-test/repo/url', + 'last', + 'last-affected', + 'last-affected-01', + 'osv', + 'osv-test', + 'osv-test-last', + 'osv-test-last-affected', + 'osv-test-last-affected-01', + 'osv-test/repo/url', + 'repo', + 'test', + 'test-last', + 'test-last-affected', + 'test-last-affected-01', + 'url'], + 'search_tags': ['osv-test-last-affected-01'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-TEST-last-affected-01.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi.txt new file mode 100644 index 00000000000..db898e1515c --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi.txt @@ -0,0 +1,63 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'PyPI', + 'name': 'scrapy', + 'purl': 'pkg:pypi/scrapy'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '1.14.2'}, + { 'type': 'fixed', + 'value': '1.31.0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}, + { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': []}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'PYSEC-456', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'PyPI'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['scrapy'], + 'public': True, + 'purl': ['pkg:pypi/scrapy'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '456', + 'git', + 'https://osv-test/repo/url', + 'osv-test/repo/url', + 'pypi', + 'pysec', + 'pysec-456', + 'repo', + 'scrapy', + 'url'], + 'search_tags': ['pysec-456', 'scrapy'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:PYSEC-456.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability in an unnormalized package', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt new file mode 100644 index 00000000000..d97673f2dc1 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt @@ -0,0 +1 @@ +[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-456", "summary": "A vulnerability in an unnormalized package", "details": "Blah blah blah\\nBlah\\n", "modified": "2022-10-07T18:59:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "scrapy", "ecosystem": "PyPI"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": []}]}')] \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_pypi_pubsub_calls.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_pypi_pubsub_calls.txt new file mode 100644 index 00000000000..1180b274143 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_pypi_pubsub_calls.txt @@ -0,0 +1 @@ +[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-123", "summary": "A vulnerability", "details": "Blah blah blah\\nBlah\\n", "modified": "3000-01-01T00:00:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "grpcio", "ecosystem": "PyPI"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": ["1.14.2", "1.15.0", "1.15.0rc1", "1.16.0", "1.16.0rc1", "1.16.1", "1.17.0", "1.17.1", "1.18.0", "1.19.0", "1.20.0", "1.20.0rc1", "1.20.0rc2", "1.20.0rc3", "1.20.1", "1.21.0rc1", "1.21.1", "1.21.1rc1", "1.22.0", "1.22.0rc1", "1.22.1", "1.23.0", "1.23.0rc1", "1.23.1", "1.24.0", "1.24.0rc1", "1.24.1", "1.24.3", "1.25.0", "1.25.0rc1", "1.26.0", "1.26.0rc1", "1.27.0rc1", "1.27.0rc2", "1.27.1", "1.27.2", "1.28.0rc1", "1.28.0rc2", "1.28.1", "1.29.0", "1.30.0"]}]}')] \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_ubuntu_severity_type.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_ubuntu_severity_type.txt new file mode 100644 index 00000000000..07664040628 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_ubuntu_severity_type.txt @@ -0,0 +1,437 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '3.11.0-12.19', + '3.12.0-1.3', + '3.12.0-2.5', + '3.12.0-2.7', + '3.12.0-3.8', + '3.12.0-3.9', + '3.12.0-4.10', + '3.12.0-4.12', + '3.12.0-5.13', + '3.12.0-7.15', + '3.13.0-1.16', + '3.13.0-10.30', + '3.13.0-100.147', + '3.13.0-101.148', + '3.13.0-103.150', + '3.13.0-105.152', + '3.13.0-106.153', + '3.13.0-107.154', + '3.13.0-108.155', + '3.13.0-109.156', + '3.13.0-11.31', + '3.13.0-110.157', + '3.13.0-111.158', + '3.13.0-112.159', + '3.13.0-113.160', + '3.13.0-115.162', + '3.13.0-116.163', + '3.13.0-117.164', + '3.13.0-119.166', + '3.13.0-12.32', + '3.13.0-121.170', + '3.13.0-123.172', + '3.13.0-125.174', + '3.13.0-126.175', + '3.13.0-128.177', + '3.13.0-129.178', + '3.13.0-13.33', + '3.13.0-132.181', + '3.13.0-133.182', + '3.13.0-135.184', + '3.13.0-137.186', + '3.13.0-139.188', + '3.13.0-14.34', + '3.13.0-141.190', + '3.13.0-142.191', + '3.13.0-143.192', + '3.13.0-144.193', + '3.13.0-145.194', + '3.13.0-147.196', + '3.13.0-149.199', + '3.13.0-15.35', + '3.13.0-151.201', + '3.13.0-153.203', + '3.13.0-155.205', + '3.13.0-156.206', + '3.13.0-157.207', + '3.13.0-158.208', + '3.13.0-16.36', + '3.13.0-160.210', + '3.13.0-161.211', + '3.13.0-162.212', + '3.13.0-163.213', + '3.13.0-164.214', + '3.13.0-165.215', + '3.13.0-166.216', + '3.13.0-167.217', + '3.13.0-168.218', + '3.13.0-169.219', + '3.13.0-17.37', + '3.13.0-170.220', + '3.13.0-173.224', + '3.13.0-174.225', + '3.13.0-175.226', + '3.13.0-176.227', + '3.13.0-18.38', + '3.13.0-180.231', + '3.13.0-181.232', + '3.13.0-182.233', + '3.13.0-183.234', + '3.13.0-184.235', + '3.13.0-185.236', + '3.13.0-186.237', + '3.13.0-187.238', + '3.13.0-188.239', + '3.13.0-189.240', + '3.13.0-19.39', + '3.13.0-19.40', + '3.13.0-190.241', + '3.13.0-191.242', + '3.13.0-192.243', + '3.13.0-193.244', + '3.13.0-194.245', + '3.13.0-195.246', + '3.13.0-196.247', + '3.13.0-197.248', + '3.13.0-198.249', + '3.13.0-199.250', + '3.13.0-2.17', + '3.13.0-20.42', + '3.13.0-200.251', + '3.13.0-201.252', + '3.13.0-202.253', + '3.13.0-203.254', + '3.13.0-204.255', + '3.13.0-205.256', + '3.13.0-206.257', + '3.13.0-21.43', + '3.13.0-22.44', + '3.13.0-23.45', + '3.13.0-24.46', + '3.13.0-24.47', + '3.13.0-27.50', + '3.13.0-29.53', + '3.13.0-3.18', + '3.13.0-30.54', + '3.13.0-30.55', + '3.13.0-32.57', + '3.13.0-33.58', + '3.13.0-34.60', + '3.13.0-35.62', + '3.13.0-36.63', + '3.13.0-37.64', + '3.13.0-39.66', + '3.13.0-4.19', + '3.13.0-40.69', + '3.13.0-41.70', + '3.13.0-43.72', + '3.13.0-44.73', + '3.13.0-45.74', + '3.13.0-46.75', + '3.13.0-46.76', + '3.13.0-46.77', + '3.13.0-46.79', + '3.13.0-48.80', + '3.13.0-49.81', + '3.13.0-49.83', + '3.13.0-5.20', + '3.13.0-51.84', + '3.13.0-52.85', + '3.13.0-52.86', + '3.13.0-53.88', + '3.13.0-53.89', + '3.13.0-54.91', + '3.13.0-55.92', + '3.13.0-55.94', + '3.13.0-57.95', + '3.13.0-58.97', + '3.13.0-59.98', + '3.13.0-6.23', + '3.13.0-61.100', + '3.13.0-62.102', + '3.13.0-63.103', + '3.13.0-65.105', + '3.13.0-65.106', + '3.13.0-66.108', + '3.13.0-67.110', + '3.13.0-68.111', + '3.13.0-7.25', + '3.13.0-7.26', + '3.13.0-70.113', + '3.13.0-71.114', + '3.13.0-73.116', + '3.13.0-74.118', + '3.13.0-76.120', + '3.13.0-77.121', + '3.13.0-79.123', + '3.13.0-8.27', + '3.13.0-8.28', + '3.13.0-83.127', + '3.13.0-85.129', + '3.13.0-86.130', + '3.13.0-86.131', + '3.13.0-87.133', + '3.13.0-88.135', + '3.13.0-91.138', + '3.13.0-92.139', + '3.13.0-93.140', + '3.13.0-95.142', + '3.13.0-96.143', + '3.13.0-98.145'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Ubuntu:Pro:14.04:LTS', + 'name': 'linux', + 'purl': 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '3.11.0-12.19', + '3.12.0-1.3', + '3.12.0-2.5', + '3.12.0-2.7', + '3.12.0-3.8', + '3.12.0-3.9', + '3.12.0-4.10', + '3.12.0-4.12', + '3.12.0-5.13', + '3.12.0-7.15', + '3.13.0-1.16', + '3.13.0-2.17', + '3.13.0-3.18', + '3.13.0-4.19', + '3.13.0-5.20', + '3.13.0-6.23', + '3.13.0-7.25', + '3.13.0-7.26', + '3.13.0-8.27', + '3.13.0-8.28', + '3.13.0-10.30', + '3.13.0-11.31', + '3.13.0-12.32', + '3.13.0-13.33', + '3.13.0-14.34', + '3.13.0-15.35', + '3.13.0-16.36', + '3.13.0-17.37', + '3.13.0-18.38', + '3.13.0-19.39', + '3.13.0-19.40', + '3.13.0-20.42', + '3.13.0-21.43', + '3.13.0-22.44', + '3.13.0-23.45', + '3.13.0-24.46', + '3.13.0-24.47', + '3.13.0-27.50', + '3.13.0-29.53', + '3.13.0-30.54', + '3.13.0-30.55', + '3.13.0-32.57', + '3.13.0-33.58', + '3.13.0-34.60', + '3.13.0-35.62', + '3.13.0-36.63', + '3.13.0-37.64', + '3.13.0-39.66', + '3.13.0-40.69', + '3.13.0-41.70', + '3.13.0-43.72', + '3.13.0-44.73', + '3.13.0-45.74', + '3.13.0-46.75', + '3.13.0-46.76', + '3.13.0-46.77', + '3.13.0-46.79', + '3.13.0-48.80', + '3.13.0-49.81', + '3.13.0-49.83', + '3.13.0-51.84', + '3.13.0-52.85', + '3.13.0-52.86', + '3.13.0-53.88', + '3.13.0-53.89', + '3.13.0-54.91', + '3.13.0-55.92', + '3.13.0-55.94', + '3.13.0-57.95', + '3.13.0-58.97', + '3.13.0-59.98', + '3.13.0-61.100', + '3.13.0-62.102', + '3.13.0-63.103', + '3.13.0-65.105', + '3.13.0-65.106', + '3.13.0-66.108', + '3.13.0-67.110', + '3.13.0-68.111', + '3.13.0-70.113', + '3.13.0-71.114', + '3.13.0-73.116', + '3.13.0-74.118', + '3.13.0-76.120', + '3.13.0-77.121', + '3.13.0-79.123', + '3.13.0-83.127', + '3.13.0-85.129', + '3.13.0-86.130', + '3.13.0-86.131', + '3.13.0-87.133', + '3.13.0-88.135', + '3.13.0-91.138', + '3.13.0-92.139', + '3.13.0-93.140', + '3.13.0-95.142', + '3.13.0-96.143', + '3.13.0-98.145', + '3.13.0-100.147', + '3.13.0-101.148', + '3.13.0-103.150', + '3.13.0-105.152', + '3.13.0-106.153', + '3.13.0-107.154', + '3.13.0-108.155', + '3.13.0-109.156', + '3.13.0-110.157', + '3.13.0-111.158', + '3.13.0-112.159', + '3.13.0-113.160', + '3.13.0-115.162', + '3.13.0-116.163', + '3.13.0-117.164', + '3.13.0-119.166', + '3.13.0-121.170', + '3.13.0-123.172', + '3.13.0-125.174', + '3.13.0-126.175', + '3.13.0-128.177', + '3.13.0-129.178', + '3.13.0-132.181', + '3.13.0-133.182', + '3.13.0-135.184', + '3.13.0-137.186', + '3.13.0-139.188', + '3.13.0-141.190', + '3.13.0-142.191', + '3.13.0-143.192', + '3.13.0-144.193', + '3.13.0-145.194', + '3.13.0-147.196', + '3.13.0-149.199', + '3.13.0-151.201', + '3.13.0-153.203', + '3.13.0-155.205', + '3.13.0-156.206', + '3.13.0-157.207', + '3.13.0-158.208', + '3.13.0-160.210', + '3.13.0-161.211', + '3.13.0-162.212', + '3.13.0-163.213', + '3.13.0-164.214', + '3.13.0-165.215', + '3.13.0-166.216', + '3.13.0-167.217', + '3.13.0-168.218', + '3.13.0-169.219', + '3.13.0-170.220', + '3.13.0-173.224', + '3.13.0-174.225', + '3.13.0-175.226', + '3.13.0-176.227', + '3.13.0-180.231', + '3.13.0-181.232', + '3.13.0-182.233', + '3.13.0-183.234', + '3.13.0-184.235', + '3.13.0-185.236', + '3.13.0-186.237', + '3.13.0-187.238', + '3.13.0-188.239', + '3.13.0-189.240', + '3.13.0-190.241', + '3.13.0-191.242', + '3.13.0-192.243', + '3.13.0-193.244', + '3.13.0-194.245', + '3.13.0-195.246', + '3.13.0-196.247', + '3.13.0-197.248', + '3.13.0-198.249', + '3.13.0-199.250', + '3.13.0-200.251', + '3.13.0-201.252', + '3.13.0-202.253', + '3.13.0-203.254', + '3.13.0-204.255', + '3.13.0-205.256', + '3.13.0-206.257']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'UBUNTU-CVE-2025-38094', + 'details': 'In the Linux kernel, the following vulnerability has been ' + 'resolved: net: cadence: macb: Fix a possible deadlock in ' + 'macb_halt_tx. There is a situation where after THALT is set ' + 'high, TGO stays high as well. Because jiffies are never ' + 'updated, as we are in a context with interrupts disabled, we ' + 'never exit that loop and have a deadlock. That deadlock was ' + 'noticed on a sama5d4 device that stayed locked for days. Use ' + 'retries instead of jiffies so that the timeout really works ' + 'and we do not have a deadlock anymore.', + 'ecosystem': ['Ubuntu', 'Ubuntu:14.04', 'Ubuntu:Pro:14.04:LTS'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2025, 7, 4, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['linux'], + 'public': True, + 'purl': [ 'pkg:deb/ubuntu/linux@3.13.0-206.257', + 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'], + 'reference_url_types': { 'https://git.kernel.org/linus/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f': 'REPORT', + 'https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d': 'REPORT', + 'https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4': 'REPORT', + 'https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48': 'REPORT', + 'https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2': 'REPORT', + 'https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37': 'REPORT', + 'https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7': 'REPORT', + 'https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f': 'REPORT', + 'https://ubuntu.com/security/CVE-2025-38094': 'REPORT', + 'https://www.cve.org/CVERecord?id=CVE-2025-38094': 'REPORT'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '04', + '14', + '2025', + '2025-38094', + '38094', + 'cve', + 'cve-2025', + 'cve-2025-38094', + 'linux', + 'lts', + 'pro', + 'ubuntu', + 'ubuntu-cve', + 'ubuntu-cve-2025', + 'ubuntu-cve-2025-38094', + 'ubuntu:14.04', + 'ubuntu:pro:14.04:lts'], + 'search_tags': ['linux', 'ubuntu-cve-2025-38094'], + 'semver_fixed_indexes': [], + 'severities': [{'score': 'medium', 'type': 'Ubuntu'}], + 'source': 'source', + 'source_id': 'source:UBUNTU-CVE-2025-38094.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2025, 7, 4, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': ['CVE-2025-38094'], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update.txt new file mode 100644 index 00000000000..654da618d93 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update.txt @@ -0,0 +1,70 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [ { 'contact': ['mailto:foo@bar.com'], + 'name': 'Foo bar', + 'type': None}], + 'database_specific': {'specific': 1337.0}, + 'db_id': 'OSV-123', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': ['pkg:golang/blah.com/package'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '123', + 'blah', + 'blah.com/package', + 'com', + 'git', + 'go', + 'https://osv-test/repo/url', + 'osv', + 'osv-123', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-123'], + 'semver_fixed_indexes': [], + 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L', + 'type': 'CVSS_V3'}], + 'source': 'source', + 'source_id': 'source:OSV-123.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': None, + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_add_fix.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_add_fix.txt new file mode 100644 index 00000000000..a5ae0a7faa7 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_add_fix.txt @@ -0,0 +1,67 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-124', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': ['pkg:golang/blah.com/package'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', + 'related': [], + 'search_indices': [ '124', + 'blah', + 'blah.com/package', + 'com', + 'git', + 'go', + 'https://osv-test/repo/url', + 'osv', + 'osv-124', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-124'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-124.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': None, + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_alpine.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_alpine.txt new file mode 100644 index 00000000000..f1001d855f0 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_alpine.txt @@ -0,0 +1,689 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.15-r0', + '10.4.17-r0', + '10.4.17-r1', + '10.4.18-r0', + '10.4.19-r0', + '10.4.21-r0', + '10.4.22-r0', + '10.4.24-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.10-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.12', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.4.25-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.15-r0', + '10.4.17-r0', + '10.4.17-r1', + '10.4.18-r0', + '10.4.19-r0', + '10.4.21-r0', + '10.4.22-r0', + '10.4.24-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.13', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.5.16-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.10-r0', + '10.5.11-r0', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.14', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.5.16-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.15', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.6.8-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Alpine:v3.16', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '10.6.8-r0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'CVE-2022-27449', + 'details': 'MariaDB Server v10.9 and below was discovered to contain a ' + 'segmentation fault via the component sql/item_func.cc:148.', + 'ecosystem': [ 'Alpine', + 'Alpine:v3.12', + 'Alpine:v3.13', + 'Alpine:v3.14', + 'Alpine:v3.15', + 'Alpine:v3.16'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['mariadb'], + 'public': True, + 'purl': ['pkg:alpine/mariadb'], + 'reference_url_types': { 'https://jira.mariadb.org/browse/MDEV-28089': 'WEB', + 'https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html': 'WEB', + 'https://security.netapp.com/advisory/ntap-20220526-0006/': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '12', + '13', + '14', + '15', + '16', + '2022', + '2022-27449', + '27449', + 'alpine', + 'alpine:v3.12', + 'alpine:v3.13', + 'alpine:v3.14', + 'alpine:v3.15', + 'alpine:v3.16', + 'cve', + 'cve-2022', + 'cve-2022-27449', + 'mariadb', + 'v3'], + 'search_tags': ['cve-2022-27449', 'mariadb'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:CVE-2022-27449.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2022, 4, 14, 13, 15, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bad_ecosystem_new.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bad_ecosystem_new.txt new file mode 100644 index 00000000000..d5828e36cba --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bad_ecosystem_new.txt @@ -0,0 +1,7 @@ +{ 'details': 'Blah blah blah\nBlah\n', + 'id': 'OSV-129', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_0.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_0.txt new file mode 100644 index 00000000000..184148e93f4 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_0.txt @@ -0,0 +1,104 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/runc/libcontainer/apparmor', + 'symbols': [ 'ApplyProfile']}, + { 'path': 'github.com/opencontainers/runc/libcontainer/utils', + 'symbols': [ 'CloseExecFrom']}]}, + 'package': { 'ecosystem': 'Go', + 'name': 'github.com/opencontainers/runc', + 'purl': 'pkg:golang/github.com/opencontainers/runc'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '1.0.0-rc8.0.20190930145003-cad42f6e0932'}], + 'repo_url': '', + 'type': 'SEMVER'}], + 'severities': [], + 'versions': []}, + { 'database_specific': None, + 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/selinux/go-selinux', + 'symbols': [ 'readCon', + 'writeCon']}]}, + 'package': { 'ecosystem': 'Go', + 'name': 'github.com/opencontainers/selinux', + 'purl': 'pkg:golang/github.com/opencontainers/selinux'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '1.3.1-0.20190929122143-5215b1806f52'}], + 'repo_url': '', + 'type': 'SEMVER'}], + 'severities': [], + 'versions': []}], + 'aliases': ['CVE-2019-16884', 'GHSA-fgv8-vj5c-2ppq'], + 'credits': [{'contact': [], 'name': 'Leopold Schabel', 'type': None}], + 'database_specific': {'url': 'https://pkg.go.dev/vuln/GO-2021-0085'}, + 'db_id': 'GO-2021-0085', + 'details': 'AppArmor restrictions may be bypassed due to improper ' + 'validation of mount targets, allowing a malicious image to ' + 'mount volumes over e.g. /proc.', + 'ecosystem': ['Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2023, 4, 3, 15, 57, 51, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': [ 'github.com/opencontainers/runc', + 'github.com/opencontainers/selinux'], + 'public': True, + 'purl': [ 'pkg:golang/github.com/opencontainers/runc', + 'pkg:golang/github.com/opencontainers/selinux'], + 'reference_url_types': { 'https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4': 'FIX', + 'https://github.com/opencontainers/runc/issues/2128': 'WEB', + 'https://github.com/opencontainers/runc/pull/2130': 'FIX', + 'https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da': 'FIX'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '0085', + '16884', + '2019', + '2019-16884', + '2021', + '2021-0085', + '2ppq', + 'com', + 'cve', + 'cve-2019', + 'cve-2019-16884', + 'fgv8', + 'fgv8-vj5c', + 'fgv8-vj5c-2ppq', + 'ghsa', + 'ghsa-fgv8', + 'ghsa-fgv8-vj5c', + 'ghsa-fgv8-vj5c-2ppq', + 'github', + 'github.com/opencontainers/runc', + 'github.com/opencontainers/selinux', + 'go', + 'go-2021', + 'go-2021-0085', + 'opencontainers', + 'runc', + 'selinux', + 'vj5c', + 'vj5c-2ppq'], + 'search_tags': [ 'github.com/opencontainers/runc', + 'github.com/opencontainers/selinux', + 'go-2021-0085'], + 'semver_fixed_indexes': [ '00000001.00000000.00000000-1rc8.00000000.120190930145003-cad42f6e0932', + '00000001.00000003.00000001-00000000.120190929122143-5215b1806f52'], + 'severities': [], + 'source': 'source', + 'source_id': 'source:a/b/test.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2021, 4, 14, 20, 4, 52, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_1.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_1.txt new file mode 100644 index 00000000000..73a984afc15 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_1.txt @@ -0,0 +1,50 @@ +{ 'affected': [], + 'affected_fuzzy': [], + 'affected_packages': [], + 'aliases': ['CVE-2019-19921'], + 'credits': [], + 'database_specific': None, + 'db_id': 'GO-2021-0087', + 'details': 'A race while mounting volumes allows a possible ' + 'symlink-exchange\n' + 'attack, allowing a user whom can start multiple containers ' + 'with\n' + 'custom volume mount configurations to escape the container.\n' + '\n', + 'ecosystem': [], + 'fixed': '', + 'has_affected': False, + 'import_last_modified': datetime.datetime(2021, 4, 14, 12, 0), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': datetime.datetime(2021, 4, 14, 12, 0), + 'project': [], + 'public': True, + 'purl': [], + 'reference_url_types': { 'https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0': 'FIX', + 'https://github.com/opencontainers/runc/issues/2197': 'WEB', + 'https://github.com/opencontainers/runc/pull/2207': 'FIX'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '0087', + '19921', + '2019', + '2019-19921', + '2021', + '2021-0087', + 'cve', + 'cve-2019', + 'cve-2019-19921', + 'go', + 'go-2021', + 'go-2021-0087'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:a/b/test.json', + 'source_of_truth': 2, + 'status': 2, + 'summary': '', + 'timestamp': datetime.datetime(2021, 4, 14, 12, 0), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_2.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_2.txt new file mode 100644 index 00000000000..9b228142cd0 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_2.txt @@ -0,0 +1,63 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['10', '11'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': { 'severity': 'High', + 'spl': '2021-10-01', + 'type': 'EoP'}, + 'package': { 'ecosystem': 'Android', + 'name': 'Media Framework', + 'purl': None}, + 'ranges': [], + 'severities': [], + 'versions': ['10', '11']}], + 'aliases': ['CVE-2021-0483'], + 'credits': [], + 'database_specific': None, + 'db_id': 'ASB-A-153358911', + 'details': '', + 'ecosystem': ['Android'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2021, 10, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['Media Framework'], + 'public': True, + 'purl': [], + 'reference_url_types': { 'https://android.googlesource.com/platform/frameworks/av/+/084077feb6b8c961adcbe77b2bd76601ca54e534': 'FIX', + 'https://android.googlesource.com/platform/frameworks/av/+/cc2165840d524bb9553f9d73d1904633d20100a2': 'FIX', + 'https://source.android.com/security/bulletin/2021-10-01#2021-10-01-security-patch-level-vulnerability-details': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '0483', + '153358911', + '2021', + '2021-0483', + 'a', + 'a-153358911', + 'android', + 'asb', + 'asb-a', + 'asb-a-153358911', + 'cve', + 'cve-2021', + 'cve-2021-0483', + 'framework', + 'media', + 'media framework'], + 'search_tags': ['asb-a-153358911', 'media framework'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:a/b/android-test.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'In multiple methods of AAudioService, there is a possible ' + 'use-after-free due to a race condition. This could lead to ' + 'local escalation of privilege with User execution privileges ' + 'needed. User interaction is not needed for exploitation.', + 'timestamp': DatetimeWithNanoseconds(2021, 10, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_cve.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_cve.txt new file mode 100644 index 00000000000..32722079b69 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_bucket_cve.txt @@ -0,0 +1,152 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1-2-1', + '1-2-2', + '1-2-3', + '1-2-4', + '1-2-5', + '1-2-6', + '1-3-0', + '1-3-1'], + 'affected_packages': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'line_hashes': [ '18066036635502801806677364178756254862', + '88369412895184753394283011451803187548', + '50848458948504730426650075084385046530', + '91284993680127737564993618090545145416', + '30779278950355321333621475605602830830', + '122421578121241373365155348152646941523', + '267652210589392654099845994262755826062', + '334808111126213430220547654602188383660', + '234389204524678077984531197469034242690', + '152880517379272209571165325006789878786', + '299871312446227378724863519270618301341', + '157634544376100154879962283397081738110', + '103663099829328578689797223848801574827', + '158563421165358858389893196995983570762', + '315965584007238676040631750953088200664'], + 'threshold': 0.9}, + 'id': 'CVE-2016-15011-929806e0', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '6674387965125354881111149989428882853', + '100741820504985357262218153349452233434', + '253366101641995550384755812786879052342', + '245037096886845520996519599411616661529', + '158852189579109359359946013476030639584', + '298614597347537877121532413760030558894', + '180181956682520524395173299138562004562', + '146502839243717526526406585366671557144', + '244996413515733361838850122849344525825', + '166554563875570093109470347687697544350', + '9427977046515615106319032886256396870', + '279044285883194738631442483325879094037', + '295198785562376785392477306514392217432', + '44714085523243422643465698936438435501', + '267608316591780380179772018605253867646', + '182074437577114148436758739432546664545', + '87621961972550109442760282702331746920', + '64897152403082006856773989396486955494', + '184138636401118235309885205539354874180', + '62633257528035095954429323509732904426'], + 'threshold': 0.9}, + 'id': 'CVE-2016-15011-bd561b7b', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java'}}, + { 'deprecated': False, + 'digest': { 'function_hash': '259495117689681377355427521574538727644', + 'length': 1591.0}, + 'id': 'CVE-2016-15011-d557e328', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java', + 'function': 'DigitalSignatureServiceMetadata'}}, + { 'deprecated': False, + 'digest': { 'function_hash': '249451297539985081987952306682300702892', + 'length': 4302.0}, + 'id': 'CVE-2016-15011-fcf07dd1', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java', + 'function': 'checkSignResponse'}}]}, + 'ecosystem_specific': None, + 'package': { 'ecosystem': '', + 'name': '', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '001ef99b0c8194468de960d007e2d82dcebc3bca'}, + { 'type': 'fixed', + 'value': 'ec4238349691ec66dd30b416ec6eaab02d722302'}], + 'repo_url': 'https://github.com/e-contract/dssp', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'dssp-1.2.1', + 'dssp-1.2.2', + 'dssp-1.2.3', + 'dssp-1.2.4', + 'dssp-1.2.5', + 'dssp-1.2.6', + 'dssp-1.3.0', + 'dssp-1.3.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'CVE-2016-15011', + 'details': 'A vulnerability classified as problematic was found in ' + 'e-Contract dssp up to 1.3.1. Affected by this vulnerability is ' + 'the function checkSignResponse of the file ' + 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java. ' + 'The manipulation leads to xml external entity reference. ' + 'Upgrading to version 1.3.2 is able to address this issue. The ' + 'identifier of the patch is ' + 'ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to ' + 'upgrade the affected component. The identifier VDB-217549 was ' + 'assigned to this vulnerability.', + 'ecosystem': ['GIT'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2025, 7, 1, 21, 44, 41, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': [], + 'public': True, + 'purl': [], + 'reference_url_types': { 'https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302': 'FIX', + 'https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2': 'ADVISORY', + 'https://vuldb.com/?ctiid.217549': 'REPORT', + 'https://vuldb.com/?id.217549': 'REPORT'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '15011', + '2016', + '2016-15011', + 'cve', + 'cve-2016', + 'cve-2016-15011', + 'dssp', + 'e-contract', + 'git', + 'github.com/e-contract/dssp', + 'https://github.com/e-contract/dssp'], + 'search_tags': ['cve-2016-15011'], + 'semver_fixed_indexes': [], + 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', + 'type': 'CVSS_V3'}], + 'source': 'source', + 'source_id': 'source:a/b/CVE-2016-15011.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': '', + 'timestamp': DatetimeWithNanoseconds(2023, 1, 6, 10, 15, 9, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_debian.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_debian.txt new file mode 100644 index 00000000000..5aebf710c03 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_debian.txt @@ -0,0 +1,95 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1.2.1-2.2', + '1.2.1-2.2+wheezy1', + '1.2.1-2.2+wheezy2', + '1.2.1-2.2+wheezy3~bpo60+1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Debian:7', + 'name': 'nginx', + 'purl': 'pkg:deb/debian/nginx?arch=source'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '1.2.1-2.2+wheezy3'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '1.2.1-2.2', + '1.2.1-2.2+wheezy1', + '1.2.1-2.2+wheezy2', + '1.2.1-2.2+wheezy3~bpo60+1']}], + 'aliases': ['CVE-2014-3616'], + 'credits': [], + 'database_specific': None, + 'db_id': 'DSA-3029-1', + 'details': '\n' + 'Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered ' + 'that it was\n' + 'possible to reuse cached SSL sessions in unrelated contexts, ' + 'allowing\n' + 'virtual host confusion attacks in some configurations by an ' + 'attacker in\n' + 'a privileged network position.\n' + '\n' + '\n' + 'For the stable distribution (wheezy), this problem has been ' + 'fixed in\n' + 'version 1.2.1-2.2+wheezy3.\n' + '\n' + '\n' + 'For the testing distribution (jessie), this problem has been ' + 'fixed in\n' + 'version 1.6.2-1.\n' + '\n' + '\n' + 'For the unstable distribution (sid), this problem has been ' + 'fixed in\n' + 'version 1.6.2-1.\n' + '\n' + '\n' + 'We recommend that you upgrade your nginx packages.\n' + '\n' + '\n', + 'ecosystem': ['Debian', 'Debian:7'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2014, 9, 20, 8, 18, 7, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['nginx'], + 'public': True, + 'purl': ['pkg:deb/debian/nginx', 'pkg:deb/debian/nginx?arch=source'], + 'reference_url_types': { 'https://www.debian.org/security/2014/dsa-3029': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '1', + '2014', + '2014-3616', + '3029', + '3029-1', + '3616', + '7', + 'cve', + 'cve-2014', + 'cve-2014-3616', + 'debian', + 'debian:7', + 'dsa', + 'dsa-3029', + 'dsa-3029-1', + 'nginx'], + 'search_tags': ['dsa-3029-1', 'nginx'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:DSA-3029-1.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'nginx - security update', + 'timestamp': DatetimeWithNanoseconds(2014, 9, 20, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_last_affected.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_last_affected.txt new file mode 100644 index 00000000000..eb8631f7074 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_last_affected.txt @@ -0,0 +1,129 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0', + '1.31.0'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '1.14.2'}, + { 'type': 'last_affected', + 'value': '1.31.0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0', + '1.31.0']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'PYSEC-124', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['PyPI'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': False, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['grpcio'], + 'public': True, + 'purl': ['pkg:pypi/grpcio'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': ['124', 'grpcio', 'pypi', 'pysec', 'pysec-124'], + 'search_tags': ['grpcio', 'pysec-124'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:PYSEC-124.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_limit.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_limit.txt new file mode 100644 index 00000000000..dc9a0912254 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_limit.txt @@ -0,0 +1,79 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1.13.0', + '1.14.0', + '1.14.0rc1', + '1.14.0rc2', + '1.14.1', + '1.14.2rc1', + 'branch-v0.1.1', + 'v0.1', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'limit', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}, + { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '1.13.0'}, + { 'type': 'limit', + 'value': '1.14.2'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + '1.13.0', + '1.14.0', + '1.14.0rc1', + '1.14.0rc2', + '1.14.1', + '1.14.2rc1', + 'v0.1', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-128', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'PyPI'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['grpcio'], + 'public': True, + 'purl': ['pkg:pypi/grpcio'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '128', + 'git', + 'grpcio', + 'https://osv-test/repo/url', + 'osv', + 'osv-128', + 'osv-test/repo/url', + 'pypi', + 'repo', + 'url'], + 'search_tags': ['grpcio', 'osv-128'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-128.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_linux.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_linux.txt new file mode 100644 index 00000000000..18dff8e75c6 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_linux.txt @@ -0,0 +1,52 @@ +{ 'affected': [], + 'affected_fuzzy': [], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Linux', + 'name': 'Kernel', + 'purl': None}, + 'ranges': [ { 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': []}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'LINUX-123', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT','Linux'], + 'fixed': '', + 'has_affected': False, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'project': ['Kernel'], + 'public': True, + 'purl': [], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '123', + 'git', + 'https://osv-test/repo/url', + 'kernel', + 'linux', + 'linux-123', + 'osv-test/repo/url', + 'repo', + 'url'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:LINUX-123.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(2021, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_maven.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_maven.txt new file mode 100644 index 00000000000..38df7620556 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_maven.txt @@ -0,0 +1,100 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '0.7.0-incubating', + '0.8.0', + '0.9.0', + '1.0', + '1.1', + '2.0', + '2.1', + '2.2', + '2.3', + '2.4'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Maven', + 'name': 'org.apache.any23:apache-any23', + 'purl': 'pkg:maven/org.apache.any23/apache-any23'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '2.5'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}], + 'severities': [], + 'versions': [ '0.7.0-incubating', + '0.8.0', + '0.9.0', + '1.0', + '1.1', + '2.0', + '2.1', + '2.2', + '2.3', + '2.4']}], + 'aliases': ['CVE-2021-38555'], + 'credits': [], + 'database_specific': { 'cwe_ids': ['CWE-611'], + 'github_reviewed': True, + 'github_reviewed_at': '2021-09-13T19:31:01Z', + 'nvd_published_at': '2021-09-11T11:15:00Z', + 'severity': 'CRITICAL'}, + 'db_id': 'GHSA-838r-hvwh-24h8', + 'details': 'An XML external entity (XXE) injection vulnerability was ' + 'discovered in the Any23 StreamUtils.java file and is known to ' + 'affect Any23 versions < 2.5. XML external entity injection ' + '(also known as XXE) is a web security vulnerability that ' + "allows an attacker to interfere with an application's " + 'processing of XML data. It often allows an attacker to view ' + 'files on the application server filesystem, and to interact ' + 'with any back-end or external systems that the application ' + 'itself can access.', + 'ecosystem': ['Maven'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2021, 9, 24, 13, 10, 5, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['org.apache.any23:apache-any23'], + 'public': True, + 'purl': ['pkg:maven/org.apache.any23/apache-any23'], + 'reference_url_types': { 'https://github.com/apache/any23': 'PACKAGE', + 'https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E': 'WEB', + 'https://nvd.nist.gov/vuln/detail/CVE-2021-38555': 'ADVISORY'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '2021', + '2021-38555', + '24h8', + '38555', + '838r', + '838r-hvwh', + '838r-hvwh-24h8', + 'any23', + 'apache', + 'cve', + 'cve-2021', + 'cve-2021-38555', + 'ghsa', + 'ghsa-838r', + 'ghsa-838r-hvwh', + 'ghsa-838r-hvwh-24h8', + 'hvwh', + 'hvwh-24h8', + 'maven', + 'org', + 'org.apache.any23:apache-any23'], + 'search_tags': ['ghsa-838r-hvwh-24h8', 'org.apache.any23:apache-any23'], + 'semver_fixed_indexes': [], + 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N', + 'type': 'CVSS_V3'}], + 'source': 'source', + 'source_id': 'source:GHSA-838r-hvwh-24h8.json', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'XML Injection in Any23', + 'timestamp': DatetimeWithNanoseconds(2021, 9, 13, 20, 6, 31, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_new.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_new.txt new file mode 100644 index 00000000000..7c36f197aad --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_new.txt @@ -0,0 +1,67 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-126', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': ['pkg:golang/blah.com/package'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '126', + 'blah', + 'blah.com/package', + 'com', + 'git', + 'go', + 'https://osv-test/repo/url', + 'osv', + 'osv-126', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-126'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-126.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_no_introduced.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_no_introduced.txt new file mode 100644 index 00000000000..821fb369530 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_no_introduced.txt @@ -0,0 +1,67 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1', + 'v0.1.1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '0'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-127', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'Go'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': ['pkg:golang/blah.com/package'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '127', + 'blah', + 'blah.com/package', + 'com', + 'git', + 'go', + 'https://osv-test/repo/url', + 'osv', + 'osv-127', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-127'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-127.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': None, + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt new file mode 100644 index 00000000000..39b24a9dd51 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt @@ -0,0 +1,7 @@ +{ 'details': 'Blah blah blah\nBlah\n', + 'id': 'OSV-131', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt new file mode 100644 index 00000000000..3c2c9cfd004 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt @@ -0,0 +1,65 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': ['0-1-1', '1'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'ecosystem', + 'name': 'blah.com/package', + 'purl': None}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'type': 'introduced', + 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'type': 'fixed', + 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'OSV-130', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'ecosystem'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['blah.com/package'], + 'public': True, + 'purl': [], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '130', + 'blah', + 'blah.com/package', + 'com', + 'ecosystem', + 'git', + 'https://osv-test/repo/url', + 'osv', + 'osv-130', + 'osv-test/repo/url', + 'package', + 'repo', + 'url'], + 'search_tags': ['blah.com/package', 'osv-130'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:OSV-130.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_pypi.txt b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_pypi.txt new file mode 100644 index 00000000000..17d13fe02f8 --- /dev/null +++ b/gcp/workers/oss_fuzz_worker/testdata/UpdateTest_update_pypi.txt @@ -0,0 +1,143 @@ +{ 'affected': [], + 'affected_checksum': None, + 'affected_fuzzy': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0'], + 'affected_packages': [ { 'database_specific': None, + 'ecosystem_specific': None, + 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': '1.14.2'}, + { 'type': 'fixed', + 'value': '1.31.0'}], + 'repo_url': '', + 'type': 'ECOSYSTEM'}, + { 'database_specific': None, + 'events': [ { 'type': 'introduced', + 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'type': 'fixed', + 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo_url': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'severities': [], + 'versions': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0']}], + 'aliases': [], + 'credits': [], + 'database_specific': None, + 'db_id': 'PYSEC-123', + 'details': 'Blah blah blah\nBlah\n', + 'ecosystem': ['GIT', 'PyPI'], + 'fixed': '', + 'has_affected': True, + 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), + 'is_fixed': True, + 'issue_id': None, + 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'project': ['grpcio'], + 'public': True, + 'purl': ['pkg:pypi/grpcio'], + 'reference_url_types': {'https://ref.com/ref': 'WEB'}, + 'regressed': '', + 'related': [], + 'search_indices': [ '123', + 'git', + 'grpcio', + 'https://osv-test/repo/url', + 'osv-test/repo/url', + 'pypi', + 'pysec', + 'pysec-123', + 'repo', + 'url'], + 'search_tags': ['grpcio', 'pysec-123'], + 'semver_fixed_indexes': [], + 'severities': [], + 'source': 'source', + 'source_id': 'source:PYSEC-123.yaml', + 'source_of_truth': 2, + 'status': 1, + 'summary': 'A vulnerability', + 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), + 'upstream_raw': [], + 'withdrawn': None} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/GSD-123.yaml b/gcp/workers/worker/testdata/GSD-123.yaml new file mode 100644 index 00000000000..ae7ed14ddec --- /dev/null +++ b/gcp/workers/worker/testdata/GSD-123.yaml @@ -0,0 +1,19 @@ +id: GSD-123 +summary: A vulnerability +details: | + Blah blah blah + Blah +modified: 2022-10-07T18:59:00Z +references: +- type: WEB + url: https://ref.com/ref +affected: +- package: + name: Kernel + ecosystem: Linux + ranges: + - type: GIT + repo: https://osv-test/repo/url + events: + - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd + - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735 diff --git a/gcp/workers/worker/testdata/RESTUpdateTest_update_no_introduced.txt b/gcp/workers/worker/testdata/RESTUpdateTest_update_no_introduced.txt index 2c52b812385..15e5b16f2bb 100644 --- a/gcp/workers/worker/testdata/RESTUpdateTest_update_no_introduced.txt +++ b/gcp/workers/worker/testdata/RESTUpdateTest_update_no_introduced.txt @@ -1,364 +1,192 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '7-10', - '7-10-1', - '7-10-2', - '7-10-3', - '7-10-4', - '7-10-5', - '7-10-6', - '7-10-7', - '7-10-8', - '7-11-0', - '7-11-1', - '7-11-2', - '7-12-0', - '7-12-1', - '7-12-2', - '7-12-3', - '7-13-0', - '7-13-1', - '7-13-2', - '7-14-0', - '7-14-1', - '7-15-0', - '7-15-1', - '7-15-2', - '7-15-3', - '7-15-4', - '7-15-5', - '7-16-0', - '7-16-1', - '7-16-2', - '7-16-3', - '7-16-4', - '7-17-0', - '7-17-1', - '7-18-0', - '7-18-1', - '7-18-2', - '7-19-0', - '7-19-1', - '7-19-2', - '7-19-3', - '7-19-4', - '7-19-5', - '7-19-6', - '7-19-7', - '7-20-0', - '7-20-1', - '7-21-0', - '7-21-1', - '7-21-2', - '7-21-3', - '7-21-4', - '7-21-5', - '7-21-6', - '7-21-7', - '7-22-0', - '7-23-0', - '7-23-1', - '7-24-0', - '7-25-0', - '7-26-0', - '7-27-0', - '7-28-0', - '7-28-1', - '7-29-0', - '7-30-0', - '7-31-0', - '7-32-0', - '7-33-0', - '7-34-0', - '7-35-0', - '7-36-0', - '7-37-0', - '7-37-1', - '7-38-0', - '7-39-0', - '7-40-0', - '7-41-0', - '7-42-0', - '7-42-1', - '7-43-0', - '7-44-0', - '7-45-0', - '7-46-0', - '7-47-0', - '7-47-1', - '7-48-0', - '7-49-0', - '7-49-1', - '7-50-0', - '7-50-1', - '7-50-2', - '7-50-3', - '7-51-0', - '7-52-0', - '7-52-1', - '7-53-0', - '7-53-1', - '7-54-0', - '7-54-1', - '7-55-0', - '7-55-1', - '7-56-0', - '7-56-1', - '7-57-0', - '7-58-0', - '7-59-0', - '7-60-0', - '7-61-0', - '7-61-1', - '7-62-0', - '7-63-0', - '7-64-0', - '7-64-1', - '7-65-0', - '7-65-1', - '7-65-2', - '7-65-3', - '7-66-0', - '7-67-0', - '7-68-0', - '7-69-0', - '7-69-1', - '7-7', - '7-7-1', - '7-7-2', - '7-7-3', - '7-70-0', - '7-71-0', - '7-71-1', - '7-72-0', - '7-73-0', - '7-74-0', - '7-75-0', - '7-76-0', - '7-76-1', - '7-77-0', - '7-78-0', - '7-79-0', - '7-79-1', - '7-8', - '7-8-1', - '7-80-0', - '7-81-0', - '7-82-0', - '7-83-0', - '7-83-1', - '7-84-0', - '7-85-0', - '7-9', - '7-9-1', - '7-9-2', - '7-9-3', - '7-9-4', - '7-9-5', - '7-9-6', - '7-9-7', - '7-9-8'], - 'affected_packages': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, - 'digest': { 'function_hash': '22968065415160735040135778472335782425', - 'length': 58084.0}, - 'id': 'CURL-CVE-2022-32221-9751f04c', - 'signature_type': 'Function', - 'signature_version': 'v1', - 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', - 'target': { 'file': 'lib/setopt.c', - 'function': 'Curl_vsetopt'}}, - { 'deprecated': False, - 'digest': { 'line_hashes': [ '73596727404438881622769716353410783065', - '150108665408450698810391826671290668314', - '264542534956227828232279400943172691231', - '248438938282829223471764231064667949049'], - 'threshold': 0.9}, - 'id': 'CURL-CVE-2022-32221-b7951194', - 'signature_type': 'Line', - 'signature_version': 'v1', - 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', - 'target': { 'file': 'lib/setopt.c'}}]}, - 'ecosystem_specific': None, - 'package': { 'ecosystem': '', - 'name': '', - 'purl': None}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '7.7'}, - { 'type': 'fixed', - 'value': '7.86.0'}], - 'repo_url': '', - 'type': 'SEMVER'}, - { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '546572da0457f37c698c02d0a08d90fdfcbeedec'}, - { 'type': 'fixed', - 'value': 'a64e3e59938abd7d667e4470a18072a24d7e9de9'}], - 'repo_url': 'https://github.com/curl/curl.git', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ '7.85.0', - '7.84.0', - '7.83.1', - '7.83.0', - '7.82.0', - '7.81.0', - '7.80.0', - '7.79.1', - '7.79.0', - '7.78.0', - '7.77.0', - '7.76.1', - '7.76.0', - '7.75.0', - '7.74.0', - '7.73.0', - '7.72.0', - '7.71.1', - '7.71.0', - '7.70.0', - '7.69.1', - '7.69.0', - '7.68.0', - '7.67.0', - '7.66.0', - '7.65.3', - '7.65.2', - '7.65.1', - '7.65.0', - '7.64.1', - '7.64.0', - '7.63.0', - '7.62.0', - '7.61.1', - '7.61.0', - '7.60.0', - '7.59.0', - '7.58.0', - '7.57.0', - '7.56.1', - '7.56.0', - '7.55.1', - '7.55.0', - '7.54.1', - '7.54.0', - '7.53.1', - '7.53.0', - '7.52.1', - '7.52.0', - '7.51.0', - '7.50.3', - '7.50.2', - '7.50.1', - '7.50.0', - '7.49.1', - '7.49.0', - '7.48.0', - '7.47.1', - '7.47.0', - '7.46.0', - '7.45.0', - '7.44.0', - '7.43.0', - '7.42.1', - '7.42.0', - '7.41.0', - '7.40.0', - '7.39.0', - '7.38.0', - '7.37.1', - '7.37.0', - '7.36.0', - '7.35.0', - '7.34.0', - '7.33.0', - '7.32.0', - '7.31.0', - '7.30.0', - '7.29.0', - '7.28.1', - '7.28.0', - '7.27.0', - '7.26.0', - '7.25.0', - '7.24.0', - '7.23.1', - '7.23.0', - '7.22.0', - '7.21.7', - '7.21.6', - '7.21.5', - '7.21.4', - '7.21.3', - '7.21.2', - '7.21.1', - '7.21.0', - '7.20.1', - '7.20.0', - '7.19.7', - '7.19.6', - '7.19.5', - '7.19.4', - '7.19.3', - '7.19.2', - '7.19.1', - '7.19.0', - '7.18.2', - '7.18.1', - '7.18.0', - '7.17.1', - '7.17.0', - '7.16.4', - '7.16.3', - '7.16.2', - '7.16.1', - '7.16.0', - '7.15.5', - '7.15.4', - '7.15.3', - '7.15.2', - '7.15.1', - '7.15.0', - '7.14.1', - '7.14.0', - '7.13.2', - '7.13.1', - '7.13.0', - '7.12.3', - '7.12.2', - '7.12.1', - '7.12.0', - '7.11.2', - '7.11.1', - '7.11.0', - '7.10.8', - '7.10.7', - '7.10.6', - '7.10.5', - '7.10.4', - '7.10.3', - '7.10.2', - '7.10.1', - '7.10', - '7.9.8', - '7.9.7', - '7.9.6', - '7.9.5', - '7.9.4', - '7.9.3', - '7.9.2', - '7.9.1', - '7.9', - '7.8.1', - '7.8', - '7.7.3', - '7.7.2', - '7.7.1', - '7.7']}], +{ 'affected': [ { 'database_specific': { 'source': 'http://localhost:8000/CURL-CVE-2022-32221.json', + 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'function_hash': '22968065415160735040135778472335782425', + 'length': 58084.0}, + 'id': 'CURL-CVE-2022-32221-9751f04c', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', + 'target': { 'file': 'lib/setopt.c', + 'function': 'Curl_vsetopt'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '73596727404438881622769716353410783065', + '150108665408450698810391826671290668314', + '264542534956227828232279400943172691231', + '248438938282829223471764231064667949049'], + 'threshold': 0.9}, + 'id': 'CURL-CVE-2022-32221-b7951194', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/curl/curl.git/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9', + 'target': { 'file': 'lib/setopt.c'}}]}, + 'ranges': [ { 'events': [ {'introduced': '7.7'}, + {'fixed': '7.86.0'}], + 'type': 'SEMVER'}, + { 'events': [ { 'introduced': '546572da0457f37c698c02d0a08d90fdfcbeedec'}, + { 'fixed': 'a64e3e59938abd7d667e4470a18072a24d7e9de9'}], + 'repo': 'https://github.com/curl/curl.git', + 'type': 'GIT'}], + 'versions': [ '7.85.0', + '7.84.0', + '7.83.1', + '7.83.0', + '7.82.0', + '7.81.0', + '7.80.0', + '7.79.1', + '7.79.0', + '7.78.0', + '7.77.0', + '7.76.1', + '7.76.0', + '7.75.0', + '7.74.0', + '7.73.0', + '7.72.0', + '7.71.1', + '7.71.0', + '7.70.0', + '7.69.1', + '7.69.0', + '7.68.0', + '7.67.0', + '7.66.0', + '7.65.3', + '7.65.2', + '7.65.1', + '7.65.0', + '7.64.1', + '7.64.0', + '7.63.0', + '7.62.0', + '7.61.1', + '7.61.0', + '7.60.0', + '7.59.0', + '7.58.0', + '7.57.0', + '7.56.1', + '7.56.0', + '7.55.1', + '7.55.0', + '7.54.1', + '7.54.0', + '7.53.1', + '7.53.0', + '7.52.1', + '7.52.0', + '7.51.0', + '7.50.3', + '7.50.2', + '7.50.1', + '7.50.0', + '7.49.1', + '7.49.0', + '7.48.0', + '7.47.1', + '7.47.0', + '7.46.0', + '7.45.0', + '7.44.0', + '7.43.0', + '7.42.1', + '7.42.0', + '7.41.0', + '7.40.0', + '7.39.0', + '7.38.0', + '7.37.1', + '7.37.0', + '7.36.0', + '7.35.0', + '7.34.0', + '7.33.0', + '7.32.0', + '7.31.0', + '7.30.0', + '7.29.0', + '7.28.1', + '7.28.0', + '7.27.0', + '7.26.0', + '7.25.0', + '7.24.0', + '7.23.1', + '7.23.0', + '7.22.0', + '7.21.7', + '7.21.6', + '7.21.5', + '7.21.4', + '7.21.3', + '7.21.2', + '7.21.1', + '7.21.0', + '7.20.1', + '7.20.0', + '7.19.7', + '7.19.6', + '7.19.5', + '7.19.4', + '7.19.3', + '7.19.2', + '7.19.1', + '7.19.0', + '7.18.2', + '7.18.1', + '7.18.0', + '7.17.1', + '7.17.0', + '7.16.4', + '7.16.3', + '7.16.2', + '7.16.1', + '7.16.0', + '7.15.5', + '7.15.4', + '7.15.3', + '7.15.2', + '7.15.1', + '7.15.0', + '7.14.1', + '7.14.0', + '7.13.2', + '7.13.1', + '7.13.0', + '7.12.3', + '7.12.2', + '7.12.1', + '7.12.0', + '7.11.2', + '7.11.1', + '7.11.0', + '7.10.8', + '7.10.7', + '7.10.6', + '7.10.5', + '7.10.4', + '7.10.3', + '7.10.2', + '7.10.1', + '7.10', + '7.9.8', + '7.9.7', + '7.9.6', + '7.9.5', + '7.9.4', + '7.9.3', + '7.9.2', + '7.9.1', + '7.9', + '7.8.1', + '7.8', + '7.7.3', + '7.7.2', + '7.7.1', + '7.7']}], 'aliases': ['CVE-2022-32221'], - 'credits': [ {'contact': [], 'name': 'Robby Simpson', 'type': 'FINDER'}, - { 'contact': [], - 'name': 'Daniel Stenberg', + 'credits': [ {'name': 'Robby Simpson', 'type': 'FINDER'}, + { 'name': 'Daniel Stenberg', 'type': 'REMEDIATION_DEVELOPER'}], 'database_specific': { 'CWE': { 'desc': 'Expected Behavior Violation', 'id': 'CWE-440'}, @@ -369,7 +197,6 @@ 'package': 'curl', 'severity': 'Medium', 'www': 'https://curl.se/docs/CVE-2022-32221.html'}, - 'db_id': 'CURL-CVE-2022-32221', 'details': 'When doing HTTP(S) transfers, libcurl might erroneously use ' 'the read callback\n' '(`CURLOPT_READFUNCTION`) to ask for data to send, even when ' @@ -387,41 +214,8 @@ 'The problem exists in the logic for a reused handle when it is ' 'changed from a\n' 'PUT to a POST.', - 'ecosystem': ['GIT'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2023, 5, 10, 0, 37, 6, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': [], - 'public': True, - 'purl': [], - 'reference_url_types': {}, - 'regressed': '', - 'related': [], - 'search_indices': [ '2022', - '2022-32221', - '32221', - 'curl', - 'curl-cve', - 'curl-cve-2022', - 'curl-cve-2022-32221', - 'curl.git', - 'cve', - 'cve-2022', - 'cve-2022-32221', - 'git', - 'github.com/curl/curl.git', - 'https://github.com/curl/curl.git'], - 'search_tags': ['curl-cve-2022-32221'], - 'semver_fixed_indexes': ['00000007.00000086.00000000-zzzzzzzzzzzzzzzz'], - 'severities': [], - 'source': 'source', - 'source_id': 'source:CURL-CVE-2022-32221.json', - 'source_of_truth': 1, - 'status': 1, - 'summary': 'POST following PUT confusion', - 'timestamp': DatetimeWithNanoseconds(2022, 10, 26, 8, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'CURL-CVE-2022-32221', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2022-10-26T08:00:00Z', + 'schema_version': '1.7.3', + 'summary': 'POST following PUT confusion'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_last_affected_git.txt b/gcp/workers/worker/testdata/UpdateTest_last_affected_git.txt index f3b59017be9..f528ee84c41 100644 --- a/gcp/workers/worker/testdata/UpdateTest_last_affected_git.txt +++ b/gcp/workers/worker/testdata/UpdateTest_last_affected_git.txt @@ -1,66 +1,12 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': ['0-1-1', '0-2'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': '', - 'name': '', - 'purl': None}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'last_affected', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': ['v0.1.1', 'v0.2']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-TEST-last-affected-01', +{ 'affected': [ { 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'last_affected': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': ['v0.1.1', 'v0.2']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': False, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': [], - 'public': True, - 'purl': [], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '01', - 'affected', - 'affected-01', - 'git', - 'https://osv-test/repo/url', - 'last', - 'last-affected', - 'last-affected-01', - 'osv', - 'osv-test', - 'osv-test-last', - 'osv-test-last-affected', - 'osv-test-last-affected-01', - 'osv-test/repo/url', - 'repo', - 'test', - 'test-last', - 'test-last-affected', - 'test-last-affected-01', - 'url'], - 'search_tags': ['osv-test-last-affected-01'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-TEST-last-affected-01.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-TEST-last-affected-01', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_normalized_pypi.txt b/gcp/workers/worker/testdata/UpdateTest_normalized_pypi.txt index db898e1515c..f0dd9538315 100644 --- a/gcp/workers/worker/testdata/UpdateTest_normalized_pypi.txt +++ b/gcp/workers/worker/testdata/UpdateTest_normalized_pypi.txt @@ -1,63 +1,17 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'PyPI', - 'name': 'scrapy', - 'purl': 'pkg:pypi/scrapy'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '1.14.2'}, - { 'type': 'fixed', - 'value': '1.31.0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}, - { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': []}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'PYSEC-456', +{ 'affected': [ { 'package': { 'ecosystem': 'PyPI', + 'name': 'scrapy', + 'purl': 'pkg:pypi/scrapy'}, + 'ranges': [ { 'events': [ { 'introduced': '1.14.2'}, + {'fixed': '1.31.0'}], + 'type': 'ECOSYSTEM'}, + { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}]}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'PyPI'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['scrapy'], - 'public': True, - 'purl': ['pkg:pypi/scrapy'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '456', - 'git', - 'https://osv-test/repo/url', - 'osv-test/repo/url', - 'pypi', - 'pysec', - 'pysec-456', - 'repo', - 'scrapy', - 'url'], - 'search_tags': ['pysec-456', 'scrapy'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:PYSEC-456.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability in an unnormalized package', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'PYSEC-456', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability in an unnormalized package'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt b/gcp/workers/worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt index d97673f2dc1..dee3a939577 100644 --- a/gcp/workers/worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt +++ b/gcp/workers/worker/testdata/UpdateTest_normalized_pypi_pubsub_calls.txt @@ -1 +1 @@ -[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-456", "summary": "A vulnerability in an unnormalized package", "details": "Blah blah blah\\nBlah\\n", "modified": "2022-10-07T18:59:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "scrapy", "ecosystem": "PyPI"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": []}]}')] \ No newline at end of file +[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-456", "summary": "A vulnerability in an unnormalized package", "details": "Blah blah blah\\nBlah\\n", "modified": "3000-01-01T00:00:00Z", "published": "3000-01-01T00:00:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "scrapy", "ecosystem": "PyPI", "purl": "pkg:pypi/scrapy"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": []}], "schema_version": "1.7.3"}')] \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_pypi_pubsub_calls.txt b/gcp/workers/worker/testdata/UpdateTest_pypi_pubsub_calls.txt index 1180b274143..32a1b96792f 100644 --- a/gcp/workers/worker/testdata/UpdateTest_pypi_pubsub_calls.txt +++ b/gcp/workers/worker/testdata/UpdateTest_pypi_pubsub_calls.txt @@ -1 +1 @@ -[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-123", "summary": "A vulnerability", "details": "Blah blah blah\\nBlah\\n", "modified": "3000-01-01T00:00:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "grpcio", "ecosystem": "PyPI"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": ["1.14.2", "1.15.0", "1.15.0rc1", "1.16.0", "1.16.0rc1", "1.16.1", "1.17.0", "1.17.1", "1.18.0", "1.19.0", "1.20.0", "1.20.0rc1", "1.20.0rc2", "1.20.0rc3", "1.20.1", "1.21.0rc1", "1.21.1", "1.21.1rc1", "1.22.0", "1.22.0rc1", "1.22.1", "1.23.0", "1.23.0rc1", "1.23.1", "1.24.0", "1.24.0rc1", "1.24.1", "1.24.3", "1.25.0", "1.25.0rc1", "1.26.0", "1.26.0rc1", "1.27.0rc1", "1.27.0rc2", "1.27.1", "1.27.2", "1.28.0rc1", "1.28.0rc2", "1.28.1", "1.29.0", "1.30.0"]}]}')] \ No newline at end of file +[call('projects/test-osv/topics/pypi-bridge', data=b'{"id": "PYSEC-123", "summary": "A vulnerability", "details": "Blah blah blah\\nBlah\\n", "modified": "3000-01-01T00:00:00Z", "published": "3000-01-01T00:00:00Z", "references": [{"type": "WEB", "url": "https://ref.com/ref"}], "affected": [{"package": {"name": "grpcio", "ecosystem": "PyPI", "purl": "pkg:pypi/grpcio"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "1.14.2"}, {"fixed": "1.31.0"}]}, {"type": "GIT", "repo": "https://osv-test/repo/url", "events": [{"introduced": "eefe8ec3f1f90d0e684890e810f3f21e8500a4cd"}, {"fixed": "8d8242f545e9cec3e6d0d2e3f5bde8be1c659735"}]}], "versions": ["1.14.2", "1.15.0", "1.15.0rc1", "1.16.0", "1.16.0rc1", "1.16.1", "1.17.0", "1.17.1", "1.18.0", "1.19.0", "1.20.0", "1.20.0rc1", "1.20.0rc2", "1.20.0rc3", "1.20.1", "1.21.0rc1", "1.21.1", "1.21.1rc1", "1.22.0", "1.22.0rc1", "1.22.1", "1.23.0", "1.23.0rc1", "1.23.1", "1.24.0", "1.24.0rc1", "1.24.1", "1.24.3", "1.25.0", "1.25.0rc1", "1.26.0", "1.26.0rc1", "1.27.0rc1", "1.27.0rc2", "1.27.1", "1.27.2", "1.28.0rc1", "1.28.0rc2", "1.28.1", "1.29.0", "1.30.0"]}], "schema_version": "1.7.3"}')] \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_ubuntu_severity_type.txt b/gcp/workers/worker/testdata/UpdateTest_ubuntu_severity_type.txt index 07664040628..a79a031c48b 100644 --- a/gcp/workers/worker/testdata/UpdateTest_ubuntu_severity_type.txt +++ b/gcp/workers/worker/testdata/UpdateTest_ubuntu_severity_type.txt @@ -1,380 +1,189 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '3.11.0-12.19', - '3.12.0-1.3', - '3.12.0-2.5', - '3.12.0-2.7', - '3.12.0-3.8', - '3.12.0-3.9', - '3.12.0-4.10', - '3.12.0-4.12', - '3.12.0-5.13', - '3.12.0-7.15', - '3.13.0-1.16', - '3.13.0-10.30', - '3.13.0-100.147', - '3.13.0-101.148', - '3.13.0-103.150', - '3.13.0-105.152', - '3.13.0-106.153', - '3.13.0-107.154', - '3.13.0-108.155', - '3.13.0-109.156', - '3.13.0-11.31', - '3.13.0-110.157', - '3.13.0-111.158', - '3.13.0-112.159', - '3.13.0-113.160', - '3.13.0-115.162', - '3.13.0-116.163', - '3.13.0-117.164', - '3.13.0-119.166', - '3.13.0-12.32', - '3.13.0-121.170', - '3.13.0-123.172', - '3.13.0-125.174', - '3.13.0-126.175', - '3.13.0-128.177', - '3.13.0-129.178', - '3.13.0-13.33', - '3.13.0-132.181', - '3.13.0-133.182', - '3.13.0-135.184', - '3.13.0-137.186', - '3.13.0-139.188', - '3.13.0-14.34', - '3.13.0-141.190', - '3.13.0-142.191', - '3.13.0-143.192', - '3.13.0-144.193', - '3.13.0-145.194', - '3.13.0-147.196', - '3.13.0-149.199', - '3.13.0-15.35', - '3.13.0-151.201', - '3.13.0-153.203', - '3.13.0-155.205', - '3.13.0-156.206', - '3.13.0-157.207', - '3.13.0-158.208', - '3.13.0-16.36', - '3.13.0-160.210', - '3.13.0-161.211', - '3.13.0-162.212', - '3.13.0-163.213', - '3.13.0-164.214', - '3.13.0-165.215', - '3.13.0-166.216', - '3.13.0-167.217', - '3.13.0-168.218', - '3.13.0-169.219', - '3.13.0-17.37', - '3.13.0-170.220', - '3.13.0-173.224', - '3.13.0-174.225', - '3.13.0-175.226', - '3.13.0-176.227', - '3.13.0-18.38', - '3.13.0-180.231', - '3.13.0-181.232', - '3.13.0-182.233', - '3.13.0-183.234', - '3.13.0-184.235', - '3.13.0-185.236', - '3.13.0-186.237', - '3.13.0-187.238', - '3.13.0-188.239', - '3.13.0-189.240', - '3.13.0-19.39', - '3.13.0-19.40', - '3.13.0-190.241', - '3.13.0-191.242', - '3.13.0-192.243', - '3.13.0-193.244', - '3.13.0-194.245', - '3.13.0-195.246', - '3.13.0-196.247', - '3.13.0-197.248', - '3.13.0-198.249', - '3.13.0-199.250', - '3.13.0-2.17', - '3.13.0-20.42', - '3.13.0-200.251', - '3.13.0-201.252', - '3.13.0-202.253', - '3.13.0-203.254', - '3.13.0-204.255', - '3.13.0-205.256', - '3.13.0-206.257', - '3.13.0-21.43', - '3.13.0-22.44', - '3.13.0-23.45', - '3.13.0-24.46', - '3.13.0-24.47', - '3.13.0-27.50', - '3.13.0-29.53', - '3.13.0-3.18', - '3.13.0-30.54', - '3.13.0-30.55', - '3.13.0-32.57', - '3.13.0-33.58', - '3.13.0-34.60', - '3.13.0-35.62', - '3.13.0-36.63', - '3.13.0-37.64', - '3.13.0-39.66', - '3.13.0-4.19', - '3.13.0-40.69', - '3.13.0-41.70', - '3.13.0-43.72', - '3.13.0-44.73', - '3.13.0-45.74', - '3.13.0-46.75', - '3.13.0-46.76', - '3.13.0-46.77', - '3.13.0-46.79', - '3.13.0-48.80', - '3.13.0-49.81', - '3.13.0-49.83', - '3.13.0-5.20', - '3.13.0-51.84', - '3.13.0-52.85', - '3.13.0-52.86', - '3.13.0-53.88', - '3.13.0-53.89', - '3.13.0-54.91', - '3.13.0-55.92', - '3.13.0-55.94', - '3.13.0-57.95', - '3.13.0-58.97', - '3.13.0-59.98', - '3.13.0-6.23', - '3.13.0-61.100', - '3.13.0-62.102', - '3.13.0-63.103', - '3.13.0-65.105', - '3.13.0-65.106', - '3.13.0-66.108', - '3.13.0-67.110', - '3.13.0-68.111', - '3.13.0-7.25', - '3.13.0-7.26', - '3.13.0-70.113', - '3.13.0-71.114', - '3.13.0-73.116', - '3.13.0-74.118', - '3.13.0-76.120', - '3.13.0-77.121', - '3.13.0-79.123', - '3.13.0-8.27', - '3.13.0-8.28', - '3.13.0-83.127', - '3.13.0-85.129', - '3.13.0-86.130', - '3.13.0-86.131', - '3.13.0-87.133', - '3.13.0-88.135', - '3.13.0-91.138', - '3.13.0-92.139', - '3.13.0-93.140', - '3.13.0-95.142', - '3.13.0-96.143', - '3.13.0-98.145'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Ubuntu:Pro:14.04:LTS', - 'name': 'linux', - 'purl': 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '3.11.0-12.19', - '3.12.0-1.3', - '3.12.0-2.5', - '3.12.0-2.7', - '3.12.0-3.8', - '3.12.0-3.9', - '3.12.0-4.10', - '3.12.0-4.12', - '3.12.0-5.13', - '3.12.0-7.15', - '3.13.0-1.16', - '3.13.0-2.17', - '3.13.0-3.18', - '3.13.0-4.19', - '3.13.0-5.20', - '3.13.0-6.23', - '3.13.0-7.25', - '3.13.0-7.26', - '3.13.0-8.27', - '3.13.0-8.28', - '3.13.0-10.30', - '3.13.0-11.31', - '3.13.0-12.32', - '3.13.0-13.33', - '3.13.0-14.34', - '3.13.0-15.35', - '3.13.0-16.36', - '3.13.0-17.37', - '3.13.0-18.38', - '3.13.0-19.39', - '3.13.0-19.40', - '3.13.0-20.42', - '3.13.0-21.43', - '3.13.0-22.44', - '3.13.0-23.45', - '3.13.0-24.46', - '3.13.0-24.47', - '3.13.0-27.50', - '3.13.0-29.53', - '3.13.0-30.54', - '3.13.0-30.55', - '3.13.0-32.57', - '3.13.0-33.58', - '3.13.0-34.60', - '3.13.0-35.62', - '3.13.0-36.63', - '3.13.0-37.64', - '3.13.0-39.66', - '3.13.0-40.69', - '3.13.0-41.70', - '3.13.0-43.72', - '3.13.0-44.73', - '3.13.0-45.74', - '3.13.0-46.75', - '3.13.0-46.76', - '3.13.0-46.77', - '3.13.0-46.79', - '3.13.0-48.80', - '3.13.0-49.81', - '3.13.0-49.83', - '3.13.0-51.84', - '3.13.0-52.85', - '3.13.0-52.86', - '3.13.0-53.88', - '3.13.0-53.89', - '3.13.0-54.91', - '3.13.0-55.92', - '3.13.0-55.94', - '3.13.0-57.95', - '3.13.0-58.97', - '3.13.0-59.98', - '3.13.0-61.100', - '3.13.0-62.102', - '3.13.0-63.103', - '3.13.0-65.105', - '3.13.0-65.106', - '3.13.0-66.108', - '3.13.0-67.110', - '3.13.0-68.111', - '3.13.0-70.113', - '3.13.0-71.114', - '3.13.0-73.116', - '3.13.0-74.118', - '3.13.0-76.120', - '3.13.0-77.121', - '3.13.0-79.123', - '3.13.0-83.127', - '3.13.0-85.129', - '3.13.0-86.130', - '3.13.0-86.131', - '3.13.0-87.133', - '3.13.0-88.135', - '3.13.0-91.138', - '3.13.0-92.139', - '3.13.0-93.140', - '3.13.0-95.142', - '3.13.0-96.143', - '3.13.0-98.145', - '3.13.0-100.147', - '3.13.0-101.148', - '3.13.0-103.150', - '3.13.0-105.152', - '3.13.0-106.153', - '3.13.0-107.154', - '3.13.0-108.155', - '3.13.0-109.156', - '3.13.0-110.157', - '3.13.0-111.158', - '3.13.0-112.159', - '3.13.0-113.160', - '3.13.0-115.162', - '3.13.0-116.163', - '3.13.0-117.164', - '3.13.0-119.166', - '3.13.0-121.170', - '3.13.0-123.172', - '3.13.0-125.174', - '3.13.0-126.175', - '3.13.0-128.177', - '3.13.0-129.178', - '3.13.0-132.181', - '3.13.0-133.182', - '3.13.0-135.184', - '3.13.0-137.186', - '3.13.0-139.188', - '3.13.0-141.190', - '3.13.0-142.191', - '3.13.0-143.192', - '3.13.0-144.193', - '3.13.0-145.194', - '3.13.0-147.196', - '3.13.0-149.199', - '3.13.0-151.201', - '3.13.0-153.203', - '3.13.0-155.205', - '3.13.0-156.206', - '3.13.0-157.207', - '3.13.0-158.208', - '3.13.0-160.210', - '3.13.0-161.211', - '3.13.0-162.212', - '3.13.0-163.213', - '3.13.0-164.214', - '3.13.0-165.215', - '3.13.0-166.216', - '3.13.0-167.217', - '3.13.0-168.218', - '3.13.0-169.219', - '3.13.0-170.220', - '3.13.0-173.224', - '3.13.0-174.225', - '3.13.0-175.226', - '3.13.0-176.227', - '3.13.0-180.231', - '3.13.0-181.232', - '3.13.0-182.233', - '3.13.0-183.234', - '3.13.0-184.235', - '3.13.0-185.236', - '3.13.0-186.237', - '3.13.0-187.238', - '3.13.0-188.239', - '3.13.0-189.240', - '3.13.0-190.241', - '3.13.0-191.242', - '3.13.0-192.243', - '3.13.0-193.244', - '3.13.0-194.245', - '3.13.0-195.246', - '3.13.0-196.247', - '3.13.0-197.248', - '3.13.0-198.249', - '3.13.0-199.250', - '3.13.0-200.251', - '3.13.0-201.252', - '3.13.0-202.253', - '3.13.0-203.254', - '3.13.0-204.255', - '3.13.0-205.256', - '3.13.0-206.257']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'UBUNTU-CVE-2025-38094', +{ 'affected': [ { 'ecosystem_specific': {}, + 'package': { 'ecosystem': 'Ubuntu:Pro:14.04:LTS', + 'name': 'linux', + 'purl': 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'}, + 'ranges': [ { 'events': [{'introduced': '0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '3.11.0-12.19', + '3.12.0-1.3', + '3.12.0-2.5', + '3.12.0-2.7', + '3.12.0-3.8', + '3.12.0-3.9', + '3.12.0-4.10', + '3.12.0-4.12', + '3.12.0-5.13', + '3.12.0-7.15', + '3.13.0-1.16', + '3.13.0-2.17', + '3.13.0-3.18', + '3.13.0-4.19', + '3.13.0-5.20', + '3.13.0-6.23', + '3.13.0-7.25', + '3.13.0-7.26', + '3.13.0-8.27', + '3.13.0-8.28', + '3.13.0-10.30', + '3.13.0-11.31', + '3.13.0-12.32', + '3.13.0-13.33', + '3.13.0-14.34', + '3.13.0-15.35', + '3.13.0-16.36', + '3.13.0-17.37', + '3.13.0-18.38', + '3.13.0-19.39', + '3.13.0-19.40', + '3.13.0-20.42', + '3.13.0-21.43', + '3.13.0-22.44', + '3.13.0-23.45', + '3.13.0-24.46', + '3.13.0-24.47', + '3.13.0-27.50', + '3.13.0-29.53', + '3.13.0-30.54', + '3.13.0-30.55', + '3.13.0-32.57', + '3.13.0-33.58', + '3.13.0-34.60', + '3.13.0-35.62', + '3.13.0-36.63', + '3.13.0-37.64', + '3.13.0-39.66', + '3.13.0-40.69', + '3.13.0-41.70', + '3.13.0-43.72', + '3.13.0-44.73', + '3.13.0-45.74', + '3.13.0-46.75', + '3.13.0-46.76', + '3.13.0-46.77', + '3.13.0-46.79', + '3.13.0-48.80', + '3.13.0-49.81', + '3.13.0-49.83', + '3.13.0-51.84', + '3.13.0-52.85', + '3.13.0-52.86', + '3.13.0-53.88', + '3.13.0-53.89', + '3.13.0-54.91', + '3.13.0-55.92', + '3.13.0-55.94', + '3.13.0-57.95', + '3.13.0-58.97', + '3.13.0-59.98', + '3.13.0-61.100', + '3.13.0-62.102', + '3.13.0-63.103', + '3.13.0-65.105', + '3.13.0-65.106', + '3.13.0-66.108', + '3.13.0-67.110', + '3.13.0-68.111', + '3.13.0-70.113', + '3.13.0-71.114', + '3.13.0-73.116', + '3.13.0-74.118', + '3.13.0-76.120', + '3.13.0-77.121', + '3.13.0-79.123', + '3.13.0-83.127', + '3.13.0-85.129', + '3.13.0-86.130', + '3.13.0-86.131', + '3.13.0-87.133', + '3.13.0-88.135', + '3.13.0-91.138', + '3.13.0-92.139', + '3.13.0-93.140', + '3.13.0-95.142', + '3.13.0-96.143', + '3.13.0-98.145', + '3.13.0-100.147', + '3.13.0-101.148', + '3.13.0-103.150', + '3.13.0-105.152', + '3.13.0-106.153', + '3.13.0-107.154', + '3.13.0-108.155', + '3.13.0-109.156', + '3.13.0-110.157', + '3.13.0-111.158', + '3.13.0-112.159', + '3.13.0-113.160', + '3.13.0-115.162', + '3.13.0-116.163', + '3.13.0-117.164', + '3.13.0-119.166', + '3.13.0-121.170', + '3.13.0-123.172', + '3.13.0-125.174', + '3.13.0-126.175', + '3.13.0-128.177', + '3.13.0-129.178', + '3.13.0-132.181', + '3.13.0-133.182', + '3.13.0-135.184', + '3.13.0-137.186', + '3.13.0-139.188', + '3.13.0-141.190', + '3.13.0-142.191', + '3.13.0-143.192', + '3.13.0-144.193', + '3.13.0-145.194', + '3.13.0-147.196', + '3.13.0-149.199', + '3.13.0-151.201', + '3.13.0-153.203', + '3.13.0-155.205', + '3.13.0-156.206', + '3.13.0-157.207', + '3.13.0-158.208', + '3.13.0-160.210', + '3.13.0-161.211', + '3.13.0-162.212', + '3.13.0-163.213', + '3.13.0-164.214', + '3.13.0-165.215', + '3.13.0-166.216', + '3.13.0-167.217', + '3.13.0-168.218', + '3.13.0-169.219', + '3.13.0-170.220', + '3.13.0-173.224', + '3.13.0-174.225', + '3.13.0-175.226', + '3.13.0-176.227', + '3.13.0-180.231', + '3.13.0-181.232', + '3.13.0-182.233', + '3.13.0-183.234', + '3.13.0-184.235', + '3.13.0-185.236', + '3.13.0-186.237', + '3.13.0-187.238', + '3.13.0-188.239', + '3.13.0-189.240', + '3.13.0-190.241', + '3.13.0-191.242', + '3.13.0-192.243', + '3.13.0-193.244', + '3.13.0-194.245', + '3.13.0-195.246', + '3.13.0-196.247', + '3.13.0-197.248', + '3.13.0-198.249', + '3.13.0-199.250', + '3.13.0-200.251', + '3.13.0-201.252', + '3.13.0-202.253', + '3.13.0-203.254', + '3.13.0-204.255', + '3.13.0-205.256', + '3.13.0-206.257']}], 'details': 'In the Linux kernel, the following vulnerability has been ' 'resolved: net: cadence: macb: Fix a possible deadlock in ' 'macb_halt_tx. There is a situation where after THALT is set ' @@ -384,54 +193,29 @@ 'noticed on a sama5d4 device that stayed locked for days. Use ' 'retries instead of jiffies so that the timeout really works ' 'and we do not have a deadlock anymore.', - 'ecosystem': ['Ubuntu', 'Ubuntu:14.04', 'Ubuntu:Pro:14.04:LTS'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2025, 7, 4, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': False, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['linux'], - 'public': True, - 'purl': [ 'pkg:deb/ubuntu/linux@3.13.0-206.257', - 'pkg:deb/ubuntu/linux@3.13.0-206.257?arch=source&distro=esm-infra-legacy/trusty'], - 'reference_url_types': { 'https://git.kernel.org/linus/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f': 'REPORT', - 'https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d': 'REPORT', - 'https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4': 'REPORT', - 'https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48': 'REPORT', - 'https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2': 'REPORT', - 'https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37': 'REPORT', - 'https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7': 'REPORT', - 'https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f': 'REPORT', - 'https://ubuntu.com/security/CVE-2025-38094': 'REPORT', - 'https://www.cve.org/CVERecord?id=CVE-2025-38094': 'REPORT'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '04', - '14', - '2025', - '2025-38094', - '38094', - 'cve', - 'cve-2025', - 'cve-2025-38094', - 'linux', - 'lts', - 'pro', - 'ubuntu', - 'ubuntu-cve', - 'ubuntu-cve-2025', - 'ubuntu-cve-2025-38094', - 'ubuntu:14.04', - 'ubuntu:pro:14.04:lts'], - 'search_tags': ['linux', 'ubuntu-cve-2025-38094'], - 'semver_fixed_indexes': [], - 'severities': [{'score': 'medium', 'type': 'Ubuntu'}], - 'source': 'source', - 'source_id': 'source:UBUNTU-CVE-2025-38094.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': '', - 'timestamp': DatetimeWithNanoseconds(2025, 7, 4, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': ['CVE-2025-38094'], - 'withdrawn': None} \ No newline at end of file + 'id': 'UBUNTU-CVE-2025-38094', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2025-07-04T00:00:00Z', + 'references': [ { 'type': 'REPORT', + 'url': 'https://ubuntu.com/security/CVE-2025-38094'}, + { 'type': 'REPORT', + 'url': 'https://www.cve.org/CVERecord?id=CVE-2025-38094'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/linus/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7'}, + { 'type': 'REPORT', + 'url': 'https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f'}], + 'schema_version': '1.7.3', + 'severity': [{'score': 'medium', 'type': 'Ubuntu'}], + 'upstream': ['CVE-2025-38094']} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update.txt b/gcp/workers/worker/testdata/UpdateTest_update.txt index 654da618d93..11f21ecb72f 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update.txt @@ -1,70 +1,23 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Go', - 'name': 'blah.com/package', - 'purl': 'pkg:golang/blah.com/package'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, - { 'type': 'introduced', - 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, - { 'type': 'fixed', - 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1']}], - 'aliases': [], - 'credits': [ { 'contact': ['mailto:foo@bar.com'], - 'name': 'Foo bar', - 'type': None}], +{ 'affected': [ { 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'introduced': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'fixed': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], + 'credits': [{'contact': ['mailto:foo@bar.com'], 'name': 'Foo bar'}], 'database_specific': {'specific': 1337.0}, - 'db_id': 'OSV-123', 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'Go'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['blah.com/package'], - 'public': True, - 'purl': ['pkg:golang/blah.com/package'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '123', - 'blah', - 'blah.com/package', - 'com', - 'git', - 'go', - 'https://osv-test/repo/url', - 'osv', - 'osv-123', - 'osv-test/repo/url', - 'package', - 'repo', - 'url'], - 'search_tags': ['blah.com/package', 'osv-123'], - 'semver_fixed_indexes': [], - 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L', - 'type': 'CVSS_V3'}], - 'source': 'source', - 'source_id': 'source:OSV-123.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': None, - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-123', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'severity': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L', + 'type': 'CVSS_V3'}], + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_alpine.txt b/gcp/workers/worker/testdata/UpdateTest_update_alpine.txt index f1001d855f0..bc29cb45861 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_alpine.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_alpine.txt @@ -1,689 +1,510 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.15-r0', - '10.4.17-r0', - '10.4.17-r1', - '10.4.18-r0', - '10.4.19-r0', - '10.4.21-r0', - '10.4.22-r0', - '10.4.24-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.10-r0', - '10.5.11-r0', - '10.5.11-r1', - '10.5.12-r0', - '10.5.13-r0', - '10.5.15-r0', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '10.6.3-r0', - '10.6.4-r0', - '10.6.4-r1', - '10.6.4-r2', - '10.6.7-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.12', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.4.25-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.15-r0', - '10.4.17-r0', - '10.4.17-r1', - '10.4.18-r0', - '10.4.19-r0', - '10.4.21-r0', - '10.4.22-r0', - '10.4.24-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}, - { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.13', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.5.16-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.10-r0', - '10.5.11-r0', - '10.5.12-r0', - '10.5.13-r0', - '10.5.15-r0', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}, - { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.14', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.5.16-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.11-r0', - '10.5.12-r0', - '10.5.13-r0', - '10.5.15-r0', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}, - { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.15', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.6.8-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.11-r0', - '10.5.11-r1', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '10.6.3-r0', - '10.6.4-r0', - '10.6.4-r1', - '10.6.4-r2', - '10.6.7-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}, - { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Alpine:v3.16', - 'name': 'mariadb', - 'purl': 'pkg:alpine/mariadb'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '10.6.8-r0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '10.0.21-r0', - '10.0.21-r1', - '10.0.21-r2', - '10.1.11-r0', - '10.1.11-r1', - '10.1.12-r0', - '10.1.12-r1', - '10.1.13-r0', - '10.1.13-r1', - '10.1.14-r0', - '10.1.14-r1', - '10.1.14-r2', - '10.1.14-r3', - '10.1.16-r0', - '10.1.17-r0', - '10.1.17-r1', - '10.1.18-r0', - '10.1.18-r1', - '10.1.19-r0', - '10.1.20-r0', - '10.1.21-r0', - '10.1.22-r0', - '10.1.22-r1', - '10.1.22-r2', - '10.1.24-r0', - '10.1.26-r0', - '10.1.28-r0', - '10.1.28-r1', - '10.1.28-r2', - '10.1.31-r0', - '10.1.8-r0', - '10.1.8-r1', - '10.1.9-r0', - '10.1.9-r1', - '10.1.9-r2', - '10.1.9-r3', - '10.2.13-r0', - '10.2.13-r1', - '10.2.14-r0', - '10.2.14-r1', - '10.2.14-r2', - '10.2.15-r0', - '10.3.10-r0', - '10.3.10-r1', - '10.3.11-r0', - '10.3.12-r0', - '10.3.12-r1', - '10.3.12-r2', - '10.3.13-r0', - '10.3.13-r1', - '10.3.13-r2', - '10.3.13-r3', - '10.3.13-r4', - '10.3.15-r0', - '10.3.16-r0', - '10.3.9-r0', - '10.3.9-r1', - '10.3.9-r2', - '10.4.10-r0', - '10.4.10-r1', - '10.4.11-r0', - '10.4.12-r0', - '10.4.13-r0', - '10.4.13-r1', - '10.4.14-r0', - '10.4.6-r0', - '10.4.6-r1', - '10.4.7-r0', - '10.4.8-r0', - '10.5.11-r0', - '10.5.11-r1', - '10.5.5-r0', - '10.5.6-r0', - '10.5.8-r0', - '10.5.9-r0', - '10.6.3-r0', - '10.6.4-r0', - '10.6.4-r1', - '10.6.4-r2', - '10.6.7-r0', - '5.5.41-r0', - '5.5.41-r1', - '5.5.41-r2', - '5.5.42-r0', - '5.5.42-r1', - '5.5.42-r2', - '5.5.42-r3', - '5.5.42-r4', - '5.5.43-r0', - '5.5.43-r1', - '5.5.43-r2', - '5.5.43-r3', - '5.5.43-r4', - '5.5.43-r5']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'CVE-2022-27449', +{ 'affected': [ { 'package': { 'ecosystem': 'Alpine:v3.12', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '10.4.25-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.15-r0', + '10.4.17-r0', + '10.4.17-r1', + '10.4.18-r0', + '10.4.19-r0', + '10.4.21-r0', + '10.4.22-r0', + '10.4.24-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'package': { 'ecosystem': 'Alpine:v3.13', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '10.5.16-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.10-r0', + '10.5.11-r0', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'package': { 'ecosystem': 'Alpine:v3.14', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '10.5.16-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.12-r0', + '10.5.13-r0', + '10.5.15-r0', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'package': { 'ecosystem': 'Alpine:v3.15', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + {'fixed': '10.6.8-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}, + { 'package': { 'ecosystem': 'Alpine:v3.16', + 'name': 'mariadb', + 'purl': 'pkg:alpine/mariadb'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + {'fixed': '10.6.8-r0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '10.0.21-r0', + '10.0.21-r1', + '10.0.21-r2', + '10.1.11-r0', + '10.1.11-r1', + '10.1.12-r0', + '10.1.12-r1', + '10.1.13-r0', + '10.1.13-r1', + '10.1.14-r0', + '10.1.14-r1', + '10.1.14-r2', + '10.1.14-r3', + '10.1.16-r0', + '10.1.17-r0', + '10.1.17-r1', + '10.1.18-r0', + '10.1.18-r1', + '10.1.19-r0', + '10.1.20-r0', + '10.1.21-r0', + '10.1.22-r0', + '10.1.22-r1', + '10.1.22-r2', + '10.1.24-r0', + '10.1.26-r0', + '10.1.28-r0', + '10.1.28-r1', + '10.1.28-r2', + '10.1.31-r0', + '10.1.8-r0', + '10.1.8-r1', + '10.1.9-r0', + '10.1.9-r1', + '10.1.9-r2', + '10.1.9-r3', + '10.2.13-r0', + '10.2.13-r1', + '10.2.14-r0', + '10.2.14-r1', + '10.2.14-r2', + '10.2.15-r0', + '10.3.10-r0', + '10.3.10-r1', + '10.3.11-r0', + '10.3.12-r0', + '10.3.12-r1', + '10.3.12-r2', + '10.3.13-r0', + '10.3.13-r1', + '10.3.13-r2', + '10.3.13-r3', + '10.3.13-r4', + '10.3.15-r0', + '10.3.16-r0', + '10.3.9-r0', + '10.3.9-r1', + '10.3.9-r2', + '10.4.10-r0', + '10.4.10-r1', + '10.4.11-r0', + '10.4.12-r0', + '10.4.13-r0', + '10.4.13-r1', + '10.4.14-r0', + '10.4.6-r0', + '10.4.6-r1', + '10.4.7-r0', + '10.4.8-r0', + '10.5.11-r0', + '10.5.11-r1', + '10.5.5-r0', + '10.5.6-r0', + '10.5.8-r0', + '10.5.9-r0', + '10.6.3-r0', + '10.6.4-r0', + '10.6.4-r1', + '10.6.4-r2', + '10.6.7-r0', + '5.5.41-r0', + '5.5.41-r1', + '5.5.41-r2', + '5.5.42-r0', + '5.5.42-r1', + '5.5.42-r2', + '5.5.42-r3', + '5.5.42-r4', + '5.5.43-r0', + '5.5.43-r1', + '5.5.43-r2', + '5.5.43-r3', + '5.5.43-r4', + '5.5.43-r5']}], 'details': 'MariaDB Server v10.9 and below was discovered to contain a ' 'segmentation fault via the component sql/item_func.cc:148.', - 'ecosystem': [ 'Alpine', - 'Alpine:v3.12', - 'Alpine:v3.13', - 'Alpine:v3.14', - 'Alpine:v3.15', - 'Alpine:v3.16'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['mariadb'], - 'public': True, - 'purl': ['pkg:alpine/mariadb'], - 'reference_url_types': { 'https://jira.mariadb.org/browse/MDEV-28089': 'WEB', - 'https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html': 'WEB', - 'https://security.netapp.com/advisory/ntap-20220526-0006/': 'ADVISORY'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '12', - '13', - '14', - '15', - '16', - '2022', - '2022-27449', - '27449', - 'alpine', - 'alpine:v3.12', - 'alpine:v3.13', - 'alpine:v3.14', - 'alpine:v3.15', - 'alpine:v3.16', - 'cve', - 'cve-2022', - 'cve-2022-27449', - 'mariadb', - 'v3'], - 'search_tags': ['cve-2022-27449', 'mariadb'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:CVE-2022-27449.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': '', - 'timestamp': DatetimeWithNanoseconds(2022, 4, 14, 13, 15, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'CVE-2022-27449', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2022-04-14T13:15:00Z', + 'references': [ { 'type': 'EVIDENCE', + 'url': 'https://jira.mariadb.org/browse/MDEV-28089'}, + { 'type': 'REPORT', + 'url': 'https://jira.mariadb.org/browse/MDEV-28089'}, + { 'type': 'FIX', + 'url': 'https://jira.mariadb.org/browse/MDEV-28089'}, + { 'type': 'WEB', + 'url': 'https://jira.mariadb.org/browse/MDEV-28089'}, + { 'type': 'ADVISORY', + 'url': 'https://security.netapp.com/advisory/ntap-20220526-0006/'}, + { 'type': 'ARTICLE', + 'url': 'https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html'}, + { 'type': 'WEB', + 'url': 'https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html'}], + 'schema_version': '1.7.3'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_bad_ecosystem_new.txt b/gcp/workers/worker/testdata/UpdateTest_update_bad_ecosystem_new.txt new file mode 100644 index 00000000000..d5828e36cba --- /dev/null +++ b/gcp/workers/worker/testdata/UpdateTest_update_bad_ecosystem_new.txt @@ -0,0 +1,7 @@ +{ 'details': 'Blah blah blah\nBlah\n', + 'id': 'OSV-129', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_bucket_0.txt b/gcp/workers/worker/testdata/UpdateTest_update_bucket_0.txt index 184148e93f4..17143e52ecd 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_bucket_0.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_bucket_0.txt @@ -1,104 +1,37 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/runc/libcontainer/apparmor', - 'symbols': [ 'ApplyProfile']}, - { 'path': 'github.com/opencontainers/runc/libcontainer/utils', - 'symbols': [ 'CloseExecFrom']}]}, - 'package': { 'ecosystem': 'Go', - 'name': 'github.com/opencontainers/runc', - 'purl': 'pkg:golang/github.com/opencontainers/runc'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '1.0.0-rc8.0.20190930145003-cad42f6e0932'}], - 'repo_url': '', - 'type': 'SEMVER'}], - 'severities': [], - 'versions': []}, - { 'database_specific': None, - 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/selinux/go-selinux', - 'symbols': [ 'readCon', - 'writeCon']}]}, - 'package': { 'ecosystem': 'Go', - 'name': 'github.com/opencontainers/selinux', - 'purl': 'pkg:golang/github.com/opencontainers/selinux'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '1.3.1-0.20190929122143-5215b1806f52'}], - 'repo_url': '', - 'type': 'SEMVER'}], - 'severities': [], - 'versions': []}], +{ 'affected': [ { 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/runc/libcontainer/apparmor', + 'symbols': [ 'ApplyProfile']}, + { 'path': 'github.com/opencontainers/runc/libcontainer/utils', + 'symbols': [ 'CloseExecFrom']}]}, + 'package': { 'ecosystem': 'Go', + 'name': 'github.com/opencontainers/runc', + 'purl': 'pkg:golang/github.com/opencontainers/runc'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '1.0.0-rc8.0.20190930145003-cad42f6e0932'}], + 'type': 'SEMVER'}]}, + { 'ecosystem_specific': { 'imports': [ { 'path': 'github.com/opencontainers/selinux/go-selinux', + 'symbols': [ 'readCon', + 'writeCon']}]}, + 'package': { 'ecosystem': 'Go', + 'name': 'github.com/opencontainers/selinux', + 'purl': 'pkg:golang/github.com/opencontainers/selinux'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '1.3.1-0.20190929122143-5215b1806f52'}], + 'type': 'SEMVER'}]}], 'aliases': ['CVE-2019-16884', 'GHSA-fgv8-vj5c-2ppq'], - 'credits': [{'contact': [], 'name': 'Leopold Schabel', 'type': None}], + 'credits': [{'name': 'Leopold Schabel'}], 'database_specific': {'url': 'https://pkg.go.dev/vuln/GO-2021-0085'}, - 'db_id': 'GO-2021-0085', 'details': 'AppArmor restrictions may be bypassed due to improper ' 'validation of mount targets, allowing a malicious image to ' 'mount volumes over e.g. /proc.', - 'ecosystem': ['Go'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2023, 4, 3, 15, 57, 51, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': [ 'github.com/opencontainers/runc', - 'github.com/opencontainers/selinux'], - 'public': True, - 'purl': [ 'pkg:golang/github.com/opencontainers/runc', - 'pkg:golang/github.com/opencontainers/selinux'], - 'reference_url_types': { 'https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4': 'FIX', - 'https://github.com/opencontainers/runc/issues/2128': 'WEB', - 'https://github.com/opencontainers/runc/pull/2130': 'FIX', - 'https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da': 'FIX'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '0085', - '16884', - '2019', - '2019-16884', - '2021', - '2021-0085', - '2ppq', - 'com', - 'cve', - 'cve-2019', - 'cve-2019-16884', - 'fgv8', - 'fgv8-vj5c', - 'fgv8-vj5c-2ppq', - 'ghsa', - 'ghsa-fgv8', - 'ghsa-fgv8-vj5c', - 'ghsa-fgv8-vj5c-2ppq', - 'github', - 'github.com/opencontainers/runc', - 'github.com/opencontainers/selinux', - 'go', - 'go-2021', - 'go-2021-0085', - 'opencontainers', - 'runc', - 'selinux', - 'vj5c', - 'vj5c-2ppq'], - 'search_tags': [ 'github.com/opencontainers/runc', - 'github.com/opencontainers/selinux', - 'go-2021-0085'], - 'semver_fixed_indexes': [ '00000001.00000000.00000000-1rc8.00000000.120190930145003-cad42f6e0932', - '00000001.00000003.00000001-00000000.120190929122143-5215b1806f52'], - 'severities': [], - 'source': 'source', - 'source_id': 'source:a/b/test.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': '', - 'timestamp': DatetimeWithNanoseconds(2021, 4, 14, 20, 4, 52, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'GO-2021-0085', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-04-14T20:04:52Z', + 'references': [ { 'type': 'FIX', + 'url': 'https://github.com/opencontainers/runc/pull/2130'}, + { 'type': 'FIX', + 'url': 'https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4'}, + { 'type': 'FIX', + 'url': 'https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da'}, + { 'type': 'WEB', + 'url': 'https://github.com/opencontainers/runc/issues/2128'}], + 'schema_version': '1.7.3'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_bucket_2.txt b/gcp/workers/worker/testdata/UpdateTest_update_bucket_2.txt index 9b228142cd0..053d0e49367 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_bucket_2.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_bucket_2.txt @@ -1,63 +1,21 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': ['10', '11'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': { 'severity': 'High', - 'spl': '2021-10-01', - 'type': 'EoP'}, - 'package': { 'ecosystem': 'Android', - 'name': 'Media Framework', - 'purl': None}, - 'ranges': [], - 'severities': [], - 'versions': ['10', '11']}], +{ 'affected': [ { 'ecosystem_specific': { 'severity': 'High', + 'spl': '2021-10-01', + 'type': 'EoP'}, + 'package': { 'ecosystem': 'Android', + 'name': 'Media Framework'}, + 'versions': ['10', '11']}], 'aliases': ['CVE-2021-0483'], - 'credits': [], - 'database_specific': None, - 'db_id': 'ASB-A-153358911', - 'details': '', - 'ecosystem': ['Android'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2021, 10, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': False, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['Media Framework'], - 'public': True, - 'purl': [], - 'reference_url_types': { 'https://android.googlesource.com/platform/frameworks/av/+/084077feb6b8c961adcbe77b2bd76601ca54e534': 'FIX', - 'https://android.googlesource.com/platform/frameworks/av/+/cc2165840d524bb9553f9d73d1904633d20100a2': 'FIX', - 'https://source.android.com/security/bulletin/2021-10-01#2021-10-01-security-patch-level-vulnerability-details': 'ADVISORY'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '0483', - '153358911', - '2021', - '2021-0483', - 'a', - 'a-153358911', - 'android', - 'asb', - 'asb-a', - 'asb-a-153358911', - 'cve', - 'cve-2021', - 'cve-2021-0483', - 'framework', - 'media', - 'media framework'], - 'search_tags': ['asb-a-153358911', 'media framework'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:a/b/android-test.json', - 'source_of_truth': 2, - 'status': 1, + 'id': 'ASB-A-153358911', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-10-01T00:00:00Z', + 'references': [ { 'type': 'ADVISORY', + 'url': 'https://source.android.com/security/bulletin/2021-10-01#2021-10-01-security-patch-level-vulnerability-details'}, + { 'type': 'FIX', + 'url': 'https://android.googlesource.com/platform/frameworks/av/+/084077feb6b8c961adcbe77b2bd76601ca54e534'}, + { 'type': 'FIX', + 'url': 'https://android.googlesource.com/platform/frameworks/av/+/cc2165840d524bb9553f9d73d1904633d20100a2'}], + 'schema_version': '1.7.3', 'summary': 'In multiple methods of AAudioService, there is a possible ' 'use-after-free due to a race condition. This could lead to ' 'local escalation of privilege with User execution privileges ' - 'needed. User interaction is not needed for exploitation.', - 'timestamp': DatetimeWithNanoseconds(2021, 10, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'needed. User interaction is not needed for exploitation.'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_bucket_cve.txt b/gcp/workers/worker/testdata/UpdateTest_update_bucket_cve.txt index 32722079b69..49fafa64d5c 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_bucket_cve.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_bucket_cve.txt @@ -1,106 +1,83 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1-2-1', - '1-2-2', - '1-2-3', - '1-2-4', - '1-2-5', - '1-2-6', - '1-3-0', - '1-3-1'], - 'affected_packages': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, - 'digest': { 'line_hashes': [ '18066036635502801806677364178756254862', - '88369412895184753394283011451803187548', - '50848458948504730426650075084385046530', - '91284993680127737564993618090545145416', - '30779278950355321333621475605602830830', - '122421578121241373365155348152646941523', - '267652210589392654099845994262755826062', - '334808111126213430220547654602188383660', - '234389204524678077984531197469034242690', - '152880517379272209571165325006789878786', - '299871312446227378724863519270618301341', - '157634544376100154879962283397081738110', - '103663099829328578689797223848801574827', - '158563421165358858389893196995983570762', - '315965584007238676040631750953088200664'], - 'threshold': 0.9}, - 'id': 'CVE-2016-15011-929806e0', - 'signature_type': 'Line', - 'signature_version': 'v1', - 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', - 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java'}}, - { 'deprecated': False, - 'digest': { 'line_hashes': [ '6674387965125354881111149989428882853', - '100741820504985357262218153349452233434', - '253366101641995550384755812786879052342', - '245037096886845520996519599411616661529', - '158852189579109359359946013476030639584', - '298614597347537877121532413760030558894', - '180181956682520524395173299138562004562', - '146502839243717526526406585366671557144', - '244996413515733361838850122849344525825', - '166554563875570093109470347687697544350', - '9427977046515615106319032886256396870', - '279044285883194738631442483325879094037', - '295198785562376785392477306514392217432', - '44714085523243422643465698936438435501', - '267608316591780380179772018605253867646', - '182074437577114148436758739432546664545', - '87621961972550109442760282702331746920', - '64897152403082006856773989396486955494', - '184138636401118235309885205539354874180', - '62633257528035095954429323509732904426'], - 'threshold': 0.9}, - 'id': 'CVE-2016-15011-bd561b7b', - 'signature_type': 'Line', - 'signature_version': 'v1', - 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', - 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java'}}, - { 'deprecated': False, - 'digest': { 'function_hash': '259495117689681377355427521574538727644', - 'length': 1591.0}, - 'id': 'CVE-2016-15011-d557e328', - 'signature_type': 'Function', - 'signature_version': 'v1', - 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', - 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java', - 'function': 'DigitalSignatureServiceMetadata'}}, - { 'deprecated': False, - 'digest': { 'function_hash': '249451297539985081987952306682300702892', - 'length': 4302.0}, - 'id': 'CVE-2016-15011-fcf07dd1', - 'signature_type': 'Function', - 'signature_version': 'v1', - 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', - 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java', - 'function': 'checkSignResponse'}}]}, - 'ecosystem_specific': None, - 'package': { 'ecosystem': '', - 'name': '', - 'purl': None}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '001ef99b0c8194468de960d007e2d82dcebc3bca'}, - { 'type': 'fixed', - 'value': 'ec4238349691ec66dd30b416ec6eaab02d722302'}], - 'repo_url': 'https://github.com/e-contract/dssp', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'dssp-1.2.1', - 'dssp-1.2.2', - 'dssp-1.2.3', - 'dssp-1.2.4', - 'dssp-1.2.5', - 'dssp-1.2.6', - 'dssp-1.3.0', - 'dssp-1.3.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'CVE-2016-15011', +{ 'affected': [ { 'database_specific': { 'vanir_signatures': [ { 'deprecated': False, + 'digest': { 'line_hashes': [ '18066036635502801806677364178756254862', + '88369412895184753394283011451803187548', + '50848458948504730426650075084385046530', + '91284993680127737564993618090545145416', + '30779278950355321333621475605602830830', + '122421578121241373365155348152646941523', + '267652210589392654099845994262755826062', + '334808111126213430220547654602188383660', + '234389204524678077984531197469034242690', + '152880517379272209571165325006789878786', + '299871312446227378724863519270618301341', + '157634544376100154879962283397081738110', + '103663099829328578689797223848801574827', + '158563421165358858389893196995983570762', + '315965584007238676040631750953088200664'], + 'threshold': 0.9}, + 'id': 'CVE-2016-15011-929806e0', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java'}}, + { 'deprecated': False, + 'digest': { 'line_hashes': [ '6674387965125354881111149989428882853', + '100741820504985357262218153349452233434', + '253366101641995550384755812786879052342', + '245037096886845520996519599411616661529', + '158852189579109359359946013476030639584', + '298614597347537877121532413760030558894', + '180181956682520524395173299138562004562', + '146502839243717526526406585366671557144', + '244996413515733361838850122849344525825', + '166554563875570093109470347687697544350', + '9427977046515615106319032886256396870', + '279044285883194738631442483325879094037', + '295198785562376785392477306514392217432', + '44714085523243422643465698936438435501', + '267608316591780380179772018605253867646', + '182074437577114148436758739432546664545', + '87621961972550109442760282702331746920', + '64897152403082006856773989396486955494', + '184138636401118235309885205539354874180', + '62633257528035095954429323509732904426'], + 'threshold': 0.9}, + 'id': 'CVE-2016-15011-bd561b7b', + 'signature_type': 'Line', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java'}}, + { 'deprecated': False, + 'digest': { 'function_hash': '259495117689681377355427521574538727644', + 'length': 1591.0}, + 'id': 'CVE-2016-15011-d557e328', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/metadata/DigitalSignatureServiceMetadata.java', + 'function': 'DigitalSignatureServiceMetadata'}}, + { 'deprecated': False, + 'digest': { 'function_hash': '249451297539985081987952306682300702892', + 'length': 4302.0}, + 'id': 'CVE-2016-15011-fcf07dd1', + 'signature_type': 'Function', + 'signature_version': 'v1', + 'source': 'https://github.com/e-contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302', + 'target': { 'file': 'dssp-client/src/main/java/be/e_contract/dssp/client/SignResponseVerifier.java', + 'function': 'checkSignResponse'}}]}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '001ef99b0c8194468de960d007e2d82dcebc3bca'}, + { 'fixed': 'ec4238349691ec66dd30b416ec6eaab02d722302'}], + 'repo': 'https://github.com/e-contract/dssp', + 'type': 'GIT'}], + 'versions': [ 'dssp-1.2.1', + 'dssp-1.2.2', + 'dssp-1.2.3', + 'dssp-1.2.4', + 'dssp-1.2.5', + 'dssp-1.2.6', + 'dssp-1.3.0', + 'dssp-1.3.1']}], 'details': 'A vulnerability classified as problematic was found in ' 'e-Contract dssp up to 1.3.1. Affected by this vulnerability is ' 'the function checkSignResponse of the file ' @@ -111,42 +88,23 @@ 'ec4238349691ec66dd30b416ec6eaab02d722302. It is recommended to ' 'upgrade the affected component. The identifier VDB-217549 was ' 'assigned to this vulnerability.', - 'ecosystem': ['GIT'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2025, 7, 1, 21, 44, 41, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': [], - 'public': True, - 'purl': [], - 'reference_url_types': { 'https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302': 'FIX', - 'https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2': 'ADVISORY', - 'https://vuldb.com/?ctiid.217549': 'REPORT', - 'https://vuldb.com/?id.217549': 'REPORT'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '15011', - '2016', - '2016-15011', - 'cve', - 'cve-2016', - 'cve-2016-15011', - 'dssp', - 'e-contract', - 'git', - 'github.com/e-contract/dssp', - 'https://github.com/e-contract/dssp'], - 'search_tags': ['cve-2016-15011'], - 'semver_fixed_indexes': [], - 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', - 'type': 'CVSS_V3'}], - 'source': 'source', - 'source_id': 'source:a/b/CVE-2016-15011.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': '', - 'timestamp': DatetimeWithNanoseconds(2023, 1, 6, 10, 15, 9, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'CVE-2016-15011', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2023-01-06T10:15:09Z', + 'references': [ { 'type': 'ADVISORY', + 'url': 'https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302'}, + { 'type': 'ADVISORY', + 'url': 'https://github.com/e-Contract/dssp/releases/tag/dssp-1.3.2'}, + { 'type': 'ADVISORY', + 'url': 'https://vuldb.com/?ctiid.217549'}, + { 'type': 'ADVISORY', + 'url': 'https://vuldb.com/?id.217549'}, + { 'type': 'FIX', + 'url': 'https://github.com/e-Contract/dssp/commit/ec4238349691ec66dd30b416ec6eaab02d722302'}, + { 'type': 'REPORT', + 'url': 'https://vuldb.com/?ctiid.217549'}, + { 'type': 'REPORT', + 'url': 'https://vuldb.com/?id.217549'}], + 'schema_version': '1.7.3', + 'severity': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H', + 'type': 'CVSS_V3'}]} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_debian.txt b/gcp/workers/worker/testdata/UpdateTest_update_debian.txt index 5aebf710c03..b42b09b1107 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_debian.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_debian.txt @@ -1,30 +1,14 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1.2.1-2.2', - '1.2.1-2.2+wheezy1', - '1.2.1-2.2+wheezy2', - '1.2.1-2.2+wheezy3~bpo60+1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Debian:7', - 'name': 'nginx', - 'purl': 'pkg:deb/debian/nginx?arch=source'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '1.2.1-2.2+wheezy3'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '1.2.1-2.2', - '1.2.1-2.2+wheezy1', - '1.2.1-2.2+wheezy2', - '1.2.1-2.2+wheezy3~bpo60+1']}], +{ 'affected': [ { 'package': { 'ecosystem': 'Debian:7', + 'name': 'nginx', + 'purl': 'pkg:deb/debian/nginx?arch=source'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '1.2.1-2.2+wheezy3'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '1.2.1-2.2', + '1.2.1-2.2+wheezy1', + '1.2.1-2.2+wheezy2', + '1.2.1-2.2+wheezy3~bpo60+1']}], 'aliases': ['CVE-2014-3616'], - 'credits': [], - 'database_specific': None, - 'db_id': 'DSA-3029-1', 'details': '\n' 'Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered ' 'that it was\n' @@ -53,43 +37,10 @@ 'We recommend that you upgrade your nginx packages.\n' '\n' '\n', - 'ecosystem': ['Debian', 'Debian:7'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2014, 9, 20, 8, 18, 7, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['nginx'], - 'public': True, - 'purl': ['pkg:deb/debian/nginx', 'pkg:deb/debian/nginx?arch=source'], - 'reference_url_types': { 'https://www.debian.org/security/2014/dsa-3029': 'ADVISORY'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '1', - '2014', - '2014-3616', - '3029', - '3029-1', - '3616', - '7', - 'cve', - 'cve-2014', - 'cve-2014-3616', - 'debian', - 'debian:7', - 'dsa', - 'dsa-3029', - 'dsa-3029-1', - 'nginx'], - 'search_tags': ['dsa-3029-1', 'nginx'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:DSA-3029-1.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'nginx - security update', - 'timestamp': DatetimeWithNanoseconds(2014, 9, 20, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'DSA-3029-1', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2014-09-20T00:00:00Z', + 'references': [ { 'type': 'ADVISORY', + 'url': 'https://www.debian.org/security/2014/dsa-3029'}], + 'schema_version': '1.7.3', + 'summary': 'nginx - security update'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_last_affected.txt b/gcp/workers/worker/testdata/UpdateTest_update_last_affected.txt index eb8631f7074..545e9381ef5 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_last_affected.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_last_affected.txt @@ -1,129 +1,55 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1.14.2', - '1.15.0', - '1.15.0rc1', - '1.16.0', - '1.16.0rc1', - '1.16.1', - '1.17.0', - '1.17.1', - '1.18.0', - '1.19.0', - '1.20.0', - '1.20.0rc1', - '1.20.0rc2', - '1.20.0rc3', - '1.20.1', - '1.21.0rc1', - '1.21.1', - '1.21.1rc1', - '1.22.0', - '1.22.0rc1', - '1.22.1', - '1.23.0', - '1.23.0rc1', - '1.23.1', - '1.24.0', - '1.24.0rc1', - '1.24.1', - '1.24.3', - '1.25.0', - '1.25.0rc1', - '1.26.0', - '1.26.0rc1', - '1.27.0rc1', - '1.27.0rc2', - '1.27.1', - '1.27.2', - '1.28.0rc1', - '1.28.0rc2', - '1.28.1', - '1.29.0', - '1.30.0', - '1.31.0'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'PyPI', - 'name': 'grpcio', - 'purl': 'pkg:pypi/grpcio'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '1.14.2'}, - { 'type': 'last_affected', - 'value': '1.31.0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '1.14.2', - '1.15.0', - '1.15.0rc1', - '1.16.0', - '1.16.0rc1', - '1.16.1', - '1.17.0', - '1.17.1', - '1.18.0', - '1.19.0', - '1.20.0', - '1.20.0rc1', - '1.20.0rc2', - '1.20.0rc3', - '1.20.1', - '1.21.0rc1', - '1.21.1', - '1.21.1rc1', - '1.22.0', - '1.22.0rc1', - '1.22.1', - '1.23.0', - '1.23.0rc1', - '1.23.1', - '1.24.0', - '1.24.0rc1', - '1.24.1', - '1.24.3', - '1.25.0', - '1.25.0rc1', - '1.26.0', - '1.26.0rc1', - '1.27.0rc1', - '1.27.0rc2', - '1.27.1', - '1.27.2', - '1.28.0rc1', - '1.28.0rc2', - '1.28.1', - '1.29.0', - '1.30.0', - '1.31.0']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'PYSEC-124', +{ 'affected': [ { 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'events': [ { 'introduced': '1.14.2'}, + { 'last_affected': '1.31.0'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0', + '1.31.0']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['PyPI'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': False, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['grpcio'], - 'public': True, - 'purl': ['pkg:pypi/grpcio'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': ['124', 'grpcio', 'pypi', 'pysec', 'pysec-124'], - 'search_tags': ['grpcio', 'pysec-124'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:PYSEC-124.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'PYSEC-124', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_limit.txt b/gcp/workers/worker/testdata/UpdateTest_update_limit.txt index dc9a0912254..ded5ae60b02 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_limit.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_limit.txt @@ -1,79 +1,26 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1.13.0', - '1.14.0', - '1.14.0rc1', - '1.14.0rc2', - '1.14.1', - '1.14.2rc1', - 'branch-v0.1.1', - 'v0.1', - 'v0.1.1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'PyPI', - 'name': 'grpcio', - 'purl': 'pkg:pypi/grpcio'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'limit', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}, - { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '1.13.0'}, - { 'type': 'limit', - 'value': '1.14.2'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - '1.13.0', - '1.14.0', - '1.14.0rc1', - '1.14.0rc2', - '1.14.1', - '1.14.2rc1', - 'v0.1', - 'v0.1.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-128', +{ 'affected': [ { 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'limit': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}, + { 'events': [ { 'introduced': '1.13.0'}, + {'limit': '1.14.2'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ 'branch-v0.1.1', + '1.13.0', + '1.14.0', + '1.14.0rc1', + '1.14.0rc2', + '1.14.1', + '1.14.2rc1', + 'v0.1', + 'v0.1.1']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'PyPI'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['grpcio'], - 'public': True, - 'purl': ['pkg:pypi/grpcio'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '128', - 'git', - 'grpcio', - 'https://osv-test/repo/url', - 'osv', - 'osv-128', - 'osv-test/repo/url', - 'pypi', - 'repo', - 'url'], - 'search_tags': ['grpcio', 'osv-128'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-128.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-128', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_linux.txt b/gcp/workers/worker/testdata/UpdateTest_update_linux.txt index 18dff8e75c6..8abe827660b 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_linux.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_linux.txt @@ -1,52 +1,12 @@ -{ 'affected': [], - 'affected_fuzzy': [], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Linux', - 'name': 'Kernel', - 'purl': None}, - 'ranges': [ { 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': []}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'LINUX-123', +{ 'affected': [ { 'package': {'ecosystem': 'Linux', 'name': 'Kernel'}, + 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}]}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT','Linux'], - 'fixed': '', - 'has_affected': False, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'project': ['Kernel'], - 'public': True, - 'purl': [], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '123', - 'git', - 'https://osv-test/repo/url', - 'kernel', - 'linux', - 'linux-123', - 'osv-test/repo/url', - 'repo', - 'url'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:LINUX-123.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(2021, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'GSD-123', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_maven.txt b/gcp/workers/worker/testdata/UpdateTest_update_maven.txt index 38df7620556..b8f92df1d2f 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_maven.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_maven.txt @@ -1,46 +1,25 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '0.7.0-incubating', - '0.8.0', - '0.9.0', - '1.0', - '1.1', - '2.0', - '2.1', - '2.2', - '2.3', - '2.4'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Maven', - 'name': 'org.apache.any23:apache-any23', - 'purl': 'pkg:maven/org.apache.any23/apache-any23'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '2.5'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}], - 'severities': [], - 'versions': [ '0.7.0-incubating', - '0.8.0', - '0.9.0', - '1.0', - '1.1', - '2.0', - '2.1', - '2.2', - '2.3', - '2.4']}], +{ 'affected': [ { 'package': { 'ecosystem': 'Maven', + 'name': 'org.apache.any23:apache-any23', + 'purl': 'pkg:maven/org.apache.any23/apache-any23'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + {'fixed': '2.5'}], + 'type': 'ECOSYSTEM'}], + 'versions': [ '0.7.0-incubating', + '0.8.0', + '0.9.0', + '1.0', + '1.1', + '2.0', + '2.1', + '2.2', + '2.3', + '2.4']}], 'aliases': ['CVE-2021-38555'], - 'credits': [], 'database_specific': { 'cwe_ids': ['CWE-611'], 'github_reviewed': True, 'github_reviewed_at': '2021-09-13T19:31:01Z', 'nvd_published_at': '2021-09-11T11:15:00Z', 'severity': 'CRITICAL'}, - 'db_id': 'GHSA-838r-hvwh-24h8', 'details': 'An XML external entity (XXE) injection vulnerability was ' 'discovered in the Any23 StreamUtils.java file and is known to ' 'affect Any23 versions < 2.5. XML external entity injection ' @@ -50,51 +29,16 @@ 'files on the application server filesystem, and to interact ' 'with any back-end or external systems that the application ' 'itself can access.', - 'ecosystem': ['Maven'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2021, 9, 24, 13, 10, 5, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['org.apache.any23:apache-any23'], - 'public': True, - 'purl': ['pkg:maven/org.apache.any23/apache-any23'], - 'reference_url_types': { 'https://github.com/apache/any23': 'PACKAGE', - 'https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E': 'WEB', - 'https://nvd.nist.gov/vuln/detail/CVE-2021-38555': 'ADVISORY'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '2021', - '2021-38555', - '24h8', - '38555', - '838r', - '838r-hvwh', - '838r-hvwh-24h8', - 'any23', - 'apache', - 'cve', - 'cve-2021', - 'cve-2021-38555', - 'ghsa', - 'ghsa-838r', - 'ghsa-838r-hvwh', - 'ghsa-838r-hvwh-24h8', - 'hvwh', - 'hvwh-24h8', - 'maven', - 'org', - 'org.apache.any23:apache-any23'], - 'search_tags': ['ghsa-838r-hvwh-24h8', 'org.apache.any23:apache-any23'], - 'semver_fixed_indexes': [], - 'severities': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N', - 'type': 'CVSS_V3'}], - 'source': 'source', - 'source_id': 'source:GHSA-838r-hvwh-24h8.json', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'XML Injection in Any23', - 'timestamp': DatetimeWithNanoseconds(2021, 9, 13, 20, 6, 31, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'GHSA-838r-hvwh-24h8', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-09-13T20:06:31Z', + 'references': [ { 'type': 'ADVISORY', + 'url': 'https://nvd.nist.gov/vuln/detail/CVE-2021-38555'}, + { 'type': 'PACKAGE', + 'url': 'https://github.com/apache/any23'}, + { 'type': 'WEB', + 'url': 'https://lists.apache.org/thread.html/r589d1a9f94dbeee7a0f5dbe8513a0e300dfe669bd964ba2fbfe28e07%40%3Cannounce.apache.org%3E'}], + 'schema_version': '1.7.3', + 'severity': [ { 'score': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N', + 'type': 'CVSS_V3'}], + 'summary': 'XML Injection in Any23'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_new.txt b/gcp/workers/worker/testdata/UpdateTest_update_new.txt index 7c36f197aad..1b333bd0a52 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_new.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_new.txt @@ -1,67 +1,19 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Go', - 'name': 'blah.com/package', - 'purl': 'pkg:golang/blah.com/package'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, - { 'type': 'introduced', - 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, - { 'type': 'fixed', - 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-126', +{ 'affected': [ { 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'introduced': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'fixed': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'Go'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['blah.com/package'], - 'public': True, - 'purl': ['pkg:golang/blah.com/package'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '126', - 'blah', - 'blah.com/package', - 'com', - 'git', - 'go', - 'https://osv-test/repo/url', - 'osv', - 'osv-126', - 'osv-test/repo/url', - 'package', - 'repo', - 'url'], - 'search_tags': ['blah.com/package', 'osv-126'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-126.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-126', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_no_introduced.txt b/gcp/workers/worker/testdata/UpdateTest_update_no_introduced.txt index 821fb369530..9a6219d1cc8 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_no_introduced.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_no_introduced.txt @@ -1,67 +1,19 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1', - 'v0.1.1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'Go', - 'name': 'blah.com/package', - 'purl': 'pkg:golang/blah.com/package'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '0'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, - { 'type': 'fixed', - 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1', - 'v0.1.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-127', +{ 'affected': [ { 'package': { 'ecosystem': 'Go', + 'name': 'blah.com/package', + 'purl': 'pkg:golang/blah.com/package'}, + 'ranges': [ { 'events': [ {'introduced': '0'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'fixed': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1', + 'v0.1.1']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'Go'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['blah.com/package'], - 'public': True, - 'purl': ['pkg:golang/blah.com/package'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '127', - 'blah', - 'blah.com/package', - 'com', - 'git', - 'go', - 'https://osv-test/repo/url', - 'osv', - 'osv-127', - 'osv-test/repo/url', - 'package', - 'repo', - 'url'], - 'search_tags': ['blah.com/package', 'osv-127'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-127.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': None, - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-127', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt b/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt new file mode 100644 index 00000000000..39b24a9dd51 --- /dev/null +++ b/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_delete.txt @@ -0,0 +1,7 @@ +{ 'details': 'Blah blah blah\nBlah\n', + 'id': 'OSV-131', + 'modified': '3000-01-01T00:00:00Z', + 'published': '2021-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt b/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt index 3c2c9cfd004..5e0f3a2b915 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_partly_bad_ecosystem_new.txt @@ -1,65 +1,18 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': ['0-1-1', '1'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'ecosystem', - 'name': 'blah.com/package', - 'purl': None}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, - { 'type': 'introduced', - 'value': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, - { 'type': 'fixed', - 'value': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ 'branch-v0.1.1', - 'branch_1_cherrypick_regress', - 'v0.1.1']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'OSV-130', +{ 'affected': [ { 'package': { 'ecosystem': 'ecosystem', + 'name': 'blah.com/package'}, + 'ranges': [ { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}, + { 'introduced': 'febfac1940086bc1f6d3dc33fda0a1d1ba336209'}, + { 'fixed': 'b9b3fd4732695b83c3068b7b6a14bb372ec31f98'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ 'branch-v0.1.1', + 'branch_1_cherrypick_regress', + 'v0.1.1']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'ecosystem'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2020, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['blah.com/package'], - 'public': True, - 'purl': [], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '130', - 'blah', - 'blah.com/package', - 'com', - 'ecosystem', - 'git', - 'https://osv-test/repo/url', - 'osv', - 'osv-130', - 'osv-test/repo/url', - 'package', - 'repo', - 'url'], - 'search_tags': ['blah.com/package', 'osv-130'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:OSV-130.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'OSV-130', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/testdata/UpdateTest_update_pypi.txt b/gcp/workers/worker/testdata/UpdateTest_update_pypi.txt index 17d13fe02f8..26c2f56db26 100644 --- a/gcp/workers/worker/testdata/UpdateTest_update_pypi.txt +++ b/gcp/workers/worker/testdata/UpdateTest_update_pypi.txt @@ -1,143 +1,58 @@ -{ 'affected': [], - 'affected_checksum': None, - 'affected_fuzzy': [ '1.14.2', - '1.15.0', - '1.15.0rc1', - '1.16.0', - '1.16.0rc1', - '1.16.1', - '1.17.0', - '1.17.1', - '1.18.0', - '1.19.0', - '1.20.0', - '1.20.0rc1', - '1.20.0rc2', - '1.20.0rc3', - '1.20.1', - '1.21.0rc1', - '1.21.1', - '1.21.1rc1', - '1.22.0', - '1.22.0rc1', - '1.22.1', - '1.23.0', - '1.23.0rc1', - '1.23.1', - '1.24.0', - '1.24.0rc1', - '1.24.1', - '1.24.3', - '1.25.0', - '1.25.0rc1', - '1.26.0', - '1.26.0rc1', - '1.27.0rc1', - '1.27.0rc2', - '1.27.1', - '1.27.2', - '1.28.0rc1', - '1.28.0rc2', - '1.28.1', - '1.29.0', - '1.30.0'], - 'affected_packages': [ { 'database_specific': None, - 'ecosystem_specific': None, - 'package': { 'ecosystem': 'PyPI', - 'name': 'grpcio', - 'purl': 'pkg:pypi/grpcio'}, - 'ranges': [ { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': '1.14.2'}, - { 'type': 'fixed', - 'value': '1.31.0'}], - 'repo_url': '', - 'type': 'ECOSYSTEM'}, - { 'database_specific': None, - 'events': [ { 'type': 'introduced', - 'value': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, - { 'type': 'fixed', - 'value': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], - 'repo_url': 'https://osv-test/repo/url', - 'type': 'GIT'}], - 'severities': [], - 'versions': [ '1.14.2', - '1.15.0', - '1.15.0rc1', - '1.16.0', - '1.16.0rc1', - '1.16.1', - '1.17.0', - '1.17.1', - '1.18.0', - '1.19.0', - '1.20.0', - '1.20.0rc1', - '1.20.0rc2', - '1.20.0rc3', - '1.20.1', - '1.21.0rc1', - '1.21.1', - '1.21.1rc1', - '1.22.0', - '1.22.0rc1', - '1.22.1', - '1.23.0', - '1.23.0rc1', - '1.23.1', - '1.24.0', - '1.24.0rc1', - '1.24.1', - '1.24.3', - '1.25.0', - '1.25.0rc1', - '1.26.0', - '1.26.0rc1', - '1.27.0rc1', - '1.27.0rc2', - '1.27.1', - '1.27.2', - '1.28.0rc1', - '1.28.0rc2', - '1.28.1', - '1.29.0', - '1.30.0']}], - 'aliases': [], - 'credits': [], - 'database_specific': None, - 'db_id': 'PYSEC-123', +{ 'affected': [ { 'package': { 'ecosystem': 'PyPI', + 'name': 'grpcio', + 'purl': 'pkg:pypi/grpcio'}, + 'ranges': [ { 'events': [ { 'introduced': '1.14.2'}, + {'fixed': '1.31.0'}], + 'type': 'ECOSYSTEM'}, + { 'events': [ { 'introduced': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'}, + { 'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'}], + 'repo': 'https://osv-test/repo/url', + 'type': 'GIT'}], + 'versions': [ '1.14.2', + '1.15.0', + '1.15.0rc1', + '1.16.0', + '1.16.0rc1', + '1.16.1', + '1.17.0', + '1.17.1', + '1.18.0', + '1.19.0', + '1.20.0', + '1.20.0rc1', + '1.20.0rc2', + '1.20.0rc3', + '1.20.1', + '1.21.0rc1', + '1.21.1', + '1.21.1rc1', + '1.22.0', + '1.22.0rc1', + '1.22.1', + '1.23.0', + '1.23.0rc1', + '1.23.1', + '1.24.0', + '1.24.0rc1', + '1.24.1', + '1.24.3', + '1.25.0', + '1.25.0rc1', + '1.26.0', + '1.26.0rc1', + '1.27.0rc1', + '1.27.0rc2', + '1.27.1', + '1.27.2', + '1.28.0rc1', + '1.28.0rc2', + '1.28.1', + '1.29.0', + '1.30.0']}], 'details': 'Blah blah blah\nBlah\n', - 'ecosystem': ['GIT', 'PyPI'], - 'fixed': '', - 'has_affected': True, - 'import_last_modified': DatetimeWithNanoseconds(2022, 10, 7, 18, 59, tzinfo=datetime.timezone.utc), - 'is_fixed': True, - 'issue_id': None, - 'last_modified': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'project': ['grpcio'], - 'public': True, - 'purl': ['pkg:pypi/grpcio'], - 'reference_url_types': {'https://ref.com/ref': 'WEB'}, - 'regressed': '', - 'related': [], - 'search_indices': [ '123', - 'git', - 'grpcio', - 'https://osv-test/repo/url', - 'osv-test/repo/url', - 'pypi', - 'pysec', - 'pysec-123', - 'repo', - 'url'], - 'search_tags': ['grpcio', 'pysec-123'], - 'semver_fixed_indexes': [], - 'severities': [], - 'source': 'source', - 'source_id': 'source:PYSEC-123.yaml', - 'source_of_truth': 2, - 'status': 1, - 'summary': 'A vulnerability', - 'timestamp': DatetimeWithNanoseconds(3000, 1, 1, 0, 0, tzinfo=datetime.timezone.utc), - 'upstream_raw': [], - 'withdrawn': None} \ No newline at end of file + 'id': 'PYSEC-123', + 'modified': '3000-01-01T00:00:00Z', + 'published': '3000-01-01T00:00:00Z', + 'references': [{'type': 'WEB', 'url': 'https://ref.com/ref'}], + 'schema_version': '1.7.3', + 'summary': 'A vulnerability'} \ No newline at end of file diff --git a/gcp/workers/worker/worker.py b/gcp/workers/worker/worker.py index 4b80ed4c34a..4819b96135a 100644 --- a/gcp/workers/worker/worker.py +++ b/gcp/workers/worker/worker.py @@ -18,6 +18,7 @@ import json import logging import os +import pygit2 import redis import requests import resource @@ -32,14 +33,15 @@ from google.cloud import pubsub_v1 from google.cloud import storage from google.cloud.storage import retry -from google.protobuf import json_format +from google.protobuf import json_format, timestamp_pb2 sys.path.append(os.path.dirname(os.path.realpath(__file__))) import osv -import osv.ecosystems import osv.cache +import osv.ecosystems +import osv.gcs import osv.logs -from osv import vulnerability_pb2 +from osv import vulnerability_pb2, purl_helpers import oss_fuzz from vanir import vulnerability_manager @@ -161,17 +163,6 @@ def clean_artifacts(oss_fuzz_dir): shutil.rmtree(build_dir, ignore_errors=True) -def mark_bug_invalid(message): - """Mark a bug as invalid.""" - source_id = get_source_id(message) - for bug in osv.Bug.query(osv.Bug.source_id == source_id): - bug.withdrawn = datetime.datetime.now(datetime.UTC) - bug.status = osv.BugStatus.INVALID - bug.put() - - osv.delete_affected_commits(bug.key.id()) - - def get_source_id(message): """Get message ID.""" source_id = message.attributes['source_id'] @@ -278,7 +269,7 @@ def fix_invalid_ghsa(vulnerability): return True -def maybe_normalize_package_names(vulnerability): +def maybe_normalize_package_names(vulnerability: vulnerability_pb2.Vulnerability) -> vulnerability_pb2.Vulnerability: """Normalize package names as necessary.""" for affected in vulnerability.affected: if not affected.package.ecosystem: @@ -428,35 +419,69 @@ def _source_update(self, message): self._do_update(source_repo, repo, vulnerability, path, original_sha256) def _handle_deleted(self, source_repo, vuln_path): - """Handle existing bugs that have been subsequently deleted at their source. + """Handle existing vulns that have been subsequently deleted at their source. Args: source_repo: Source repository. vuln_path: Path to vulnerability. - This marks the Bug as INVALID and as withdrawn. + This marks the Vulnerability as withdrawn. """ vuln_id = os.path.splitext(os.path.basename(vuln_path))[0] - bug = osv.Bug.get_by_id(vuln_id) - if not bug: - logging.error('Failed to find Bug with ID %s', vuln_id) - return + vuln_and_gen = osv.gcs.get_by_id_with_generation(vuln_id) + gcs_gen = None + proto_vuln = None + def xact(): + nonlocal gcs_gen + nonlocal proto_vuln + ds_vuln: osv.Vulnerability = osv.Vulnerability.get_by_id(vuln_id) + if not ds_vuln: + logging.error('Failed to find Vulnerability with ID %s', vuln_id) + return + + _, _, ds_path = ds_vuln.source_id.partition(':') - bug_source_path = osv.source_path(source_repo, bug) - if bug_source_path != vuln_path: - logging.error('Request path %s does not match %s, aborting.', vuln_path, - bug_source_path) + if ds_path != vuln_path: + logging.error('Request path %s does not match %s, aborting.', vuln_path, + ds_path) + return + + logging.info('Marking %s as withdrawn.', vuln_id) + if not vuln_and_gen: + logging.error('Failed to find Vulnerability with ID %s', vuln_id) + # contruct an empty withdrawn vuln + proto_vuln = vulnerability_pb2.Vulnerability(id=vuln_id) + else: + proto_vuln, gcs_gen = vuln_and_gen + + if not proto_vuln.HasField('withdrawn'): + # in case this was already withdrawn for some reason + proto_vuln.withdrawn.FromDatetime(datetime.datetime.now(datetime.UTC)) + if (not proto_vuln.HasField('modified') or + proto_vuln.withdrawn.ToDatetime(datetime.UTC) > proto_vuln.modified.ToDatetime(datetime.UTC)): + proto_vuln.modified.CopyFrom(proto_vuln.withdrawn) + ds_vuln.is_withdrawn = True + ds_vuln.modified = proto_vuln.modified.ToDatetime(datetime.UTC) + osv.models.put_entities(ds_vuln, proto_vuln) + osv.update_affected_commits(vuln_id, [], False) + + try: + ndb.transaction(xact) + except (google.api_core.exceptions.Cancelled, ndb.exceptions.Error) as e: + e.add_note(f'Happened processing {vuln_id}') + logging.exception('Unexpected exception while writing %s to Datastore', + vuln_id) + raise + if not proto_vuln: return + try: + osv.gcs.upload_vulnerability(proto_vuln, gcs_gen) + except Exception as e: + # Writing to bucket failed for some reason. Send a pub/sub message to retry. + logging.error('Writing to bucket failed for %s', vuln_id) + data = proto_vuln.SerializeToString(deterministic=True) + pubsub.publish_failure(data, type='gcs_retry') - logging.info('Marking %s as invalid and withdrawn.', vuln_id) - bug.status = osv.BugStatus.INVALID - if not bug.withdrawn: # in case this was already withdrawn for some reason - bug.withdrawn = datetime.datetime.now(datetime.UTC) - if bug.last_modified: - bug.last_modified = max(bug.withdrawn, bug.last_modified) - else: - bug.last_modified = bug.withdrawn - bug.put() def _push_new_ranges_and_versions(self, source_repo, repo, vulnerability, output_path, original_sha256): @@ -472,17 +497,9 @@ def _push_new_ranges_and_versions(self, source_repo, repo, vulnerability, output_path: original_sha256, }) - def _analyze_vulnerability(self, source_repo, repo, vulnerability, path, - original_sha256): + def _analyze_vulnerability(self, source_repo: osv.SourceRepository, repo: pygit2.Repository | None, vulnerability: vulnerability_pb2.Vulnerability, path: str, + original_sha256: str) -> osv.AnalyzeResult: """Analyze vulnerability and push new changes.""" - # Add OSS-Fuzz - added_fix_info = False - bug = osv.Bug.get_by_id(vulnerability.id) - if bug: - fix_result = osv.FixResult.get_by_id(bug.source_id) - if fix_result: - added_fix_info = add_fix_information(vulnerability, fix_result) - result = osv.analyze( vulnerability, checkout_path=os.path.join(self._work_dir, 'checkout'), @@ -491,12 +508,13 @@ def _analyze_vulnerability(self, source_repo, repo, vulnerability, path, versions_from_repo=source_repo.versions_from_repo, consider_all_branches=source_repo.consider_all_branches) - if not result.has_changes and not added_fix_info: + if not result.has_changes: return result if not source_repo.editable: return result - + # NB: Only OSS-Fuzz is editable - all other sources are read-only. + # This should not be reachable by this worker. output_path = os.path.join(osv.repo_path(repo), path) if self._push_new_ranges_and_versions(source_repo, repo, vulnerability, output_path, original_sha256): @@ -508,7 +526,7 @@ def _analyze_vulnerability(self, source_repo, repo, vulnerability, path, vulnerability.id) raise UpdateConflictError - def _generate_vanir_signatures(self, vulnerability): + def _generate_vanir_signatures(self, vulnerability: vulnerability_pb2.Vulnerability) -> vulnerability_pb2.Vulnerability: """Generates Vanir signatures for a vulnerability.""" if not any(r.type == vulnerability_pb2.Range.GIT for affected in vulnerability.affected @@ -545,8 +563,12 @@ def _generate_vanir_signatures(self, vulnerability): vulnerability.id) return vulnerability - def _do_update(self, source_repo, repo, vulnerability, relative_path, - original_sha256): + def _do_update(self, + source_repo: osv.SourceRepository, + repo: pygit2.Repository | None, + vulnerability: vulnerability_pb2.Vulnerability, + relative_path: str, + original_sha256: str): """Process updates on a vulnerability.""" _state.bug_id = vulnerability.id logging.info('Processing update for vulnerability %s', vulnerability.id) @@ -569,70 +591,133 @@ def _do_update(self, source_repo, repo, vulnerability, relative_path, # Discard changes due to conflict. return - # Fetch the current state from Datastore. - bug = osv.Bug.get_by_id(vulnerability.id) - is_new_bug = bug is None - - has_changed = False - if is_new_bug: - has_changed = True - if source_repo.name == 'oss-fuzz': - logging.warning('%s not found for OSS-Fuzz source.', vulnerability.id) - return - - bug = osv.Bug( - db_id=vulnerability.id, - timestamp=osv.utcnow(), - status=osv.BugStatus.PROCESSED, - source_of_truth=osv.SourceOfTruth.SOURCE_REPO) - else: - # Compare the newly enriched vulnerability with the stored one. - # Create a 'pure' vulnerability object from the existing bug for - # comparison, excluding external data that would cause false positives. - old_vulnerability = bug.to_vulnerability( - include_source=False, include_alias=False, include_upstream=False) - - # Clear modified timestamps for a clean comparison. - old_vulnerability.modified.Clear() - vulnerability.modified.Clear() - - if old_vulnerability != vulnerability: + vuln_and_gen = osv.gcs.get_by_id_with_generation(vulnerability.id) + gcs_gen = None + def xact(): + # Fetch the current state from Datastore. + nonlocal gcs_gen + ds_vuln = osv.Vulnerability.get_by_id(vulnerability.id) + is_new_bug = ds_vuln is None + + # Compute the related fields here first. + # TODO(michaelkedar): Make a related computation in relations cron + related_raw = vulnerability.related + q = osv.Vulnerability.query(osv.Vulnerability.related_raw == vulnerability.id) + related = set(vulnerability.related).union(set(r.id for r in q)) + vulnerability.related[:] = sorted(related) + + old_published = None + + # Update the schema version + # TODO(michaelkedar): osv.SCHEMA_VERSION is not kept up to date with the submodule + vulnerability.schema_version = osv.SCHEMA_VERSION + # Add PURLs and source if they are missing. + source_link = None + if source_repo and source_repo.link: + source_link = source_repo.link + relative_path + for affected in vulnerability.affected: + if not affected.package.purl: + if purl := purl_helpers.package_to_purl( + osv.ecosystems.normalize(affected.package.ecosystem), + affected.package.name): + affected.package.purl = purl + if source_link: + affected.database_specific.update({'source': source_link}) + + has_changed = False + if is_new_bug: has_changed = True + ds_vuln = osv.Vulnerability( + id=vulnerability.id, + source_id=f'{source_repo.name}:{relative_path}', + ) + else: + # Compare the newly enriched vulnerability with the stored one. + # Create a 'pure' vulnerability object from the existing vuln for + # comparison, excluding external data that would cause false positives. + if vuln_and_gen is None: + logging.warning('Vulnerability %s found in Datastore but not in GCS.', vulnerability.id) + # We need to write the vuln in this case + has_changed = True + else: + old_vulnerability, gcs_gen = vuln_and_gen + if old_vulnerability.HasField('published'): + old_published = timestamp_pb2.Timestamp() + old_published.CopyFrom(old_vulnerability.published) + new_vulnerability = vulnerability_pb2.Vulnerability() + new_vulnerability.CopyFrom(vulnerability) + + # Clear modified/published timestamps for a clean comparison. + old_vulnerability.modified.Clear() + new_vulnerability.modified.Clear() + old_vulnerability.published.Clear() + new_vulnerability.published.Clear() + # Clear aliases and upstream, as they are computed separately. + old_vulnerability.aliases.clear() + new_vulnerability.aliases.clear() + old_vulnerability.upstream.clear() + new_vulnerability.upstream.clear() + + has_changed = old_vulnerability != new_vulnerability + + ds_vuln.is_withdrawn = vulnerability.HasField('withdrawn') + ds_vuln.modified_raw = orig_modified_date + ds_vuln.alias_raw = list(vulnerability.aliases) + ds_vuln.related_raw = list(related_raw) + ds_vuln.upstream_raw = list(vulnerability.upstream) + # Update the bug entity based on the comparison. + if has_changed: + ds_vuln.modified = osv.utcnow() + else: + # If no meaningful change, ensure last_modified reflects the source file's + # modified date, as only metadata might have changed. + ds_vuln.modified = orig_modified_date + + # Overwrite aliases / upstream from computation + alias_group = osv.AliasGroup.query(osv.AliasGroup.bug_ids == vulnerability.id).get() + if alias_group: + aliases = sorted(set(alias_group.bug_ids) - {vulnerability.id}) + vulnerability.aliases[:] = aliases + if alias_group.last_modified > ds_vuln.modified: + ds_vuln.modified = alias_group.last_modified + upstream_group = osv.UpstreamGroup.query(osv.UpstreamGroup.db_id == vulnerability.id).get() + if upstream_group: + vulnerability.upstream[:] = sorted(upstream_group.upstream_ids) + if upstream_group.last_modified > ds_vuln.modified: + ds_vuln.modified = upstream_group.last_modified + # Make sure modified date is >= withdrawn date + if ds_vuln.is_withdrawn and vulnerability.withdrawn.ToDatetime(datetime.UTC) > ds_vuln.modified: + ds_vuln.modified = vulnerability.withdrawn.ToDatetime(datetime.UTC) + + vulnerability.modified.FromDatetime(ds_vuln.modified) + + # Make sure vuln has a published date + if not vulnerability.HasField('published'): + if old_published: + vulnerability.published.CopyFrom(old_published) + else: + vulnerability.published.CopyFrom(vulnerability.modified) + + osv.models.put_entities(ds_vuln, vulnerability) + osv.update_affected_commits(vulnerability.id, result.commits, True) - # Update the bug entity based on the comparison. - if has_changed: - bug.update_from_vulnerability(vulnerability) - bug.last_modified = osv.utcnow() - else: - # If no meaningful change, ensure last_modified reflects the source file's - # modified date, as only metadata might have changed. - bug.last_modified = orig_modified_date - - bug.public = True - bug.import_last_modified = orig_modified_date - # OSS-Fuzz sourced bugs use a different format for source_id. - if source_repo.name != 'oss-fuzz' or not bug.source_id: - bug.source_id = f'{source_repo.name}:{relative_path}' - - if bug.withdrawn: - bug.status = osv.BugStatus.INVALID - else: - bug.status = osv.BugStatus.PROCESSED - - if not vulnerability.affected: - logging.info('%s does not affect any packages. Marking as invalid.', - vulnerability.id) - bug.status = osv.BugStatus.INVALID try: - bug.put() + ndb.transaction(xact) except (google.api_core.exceptions.Cancelled, ndb.exceptions.Error) as e: e.add_note(f'Happened processing {vulnerability.id}') logging.exception('Unexpected exception while writing %s to Datastore', vulnerability.id) + raise + try: + osv.gcs.upload_vulnerability(vulnerability, gcs_gen) + except Exception as e: + # Writing to bucket failed for some reason. Send a pub/sub message to retry. + logging.error('Writing to bucket failed for %s', vulnerability.id) + data = vulnerability.SerializeToString(deterministic=True) + pubsub.publish_failure(data, type='gcs_retry') - osv.update_affected_commits(bug.key.id(), result.commits, bug.public) self._notify_ecosystem_bridge(vulnerability) - self._maybe_remove_import_findings(bug) + self._maybe_remove_import_findings(vulnerability.id) def _notify_ecosystem_bridge(self, vulnerability): """Notify ecosystem bridges.""" @@ -652,12 +737,12 @@ def _notify_ecosystem_bridge(self, vulnerability): push_topic, data=json.dumps(osv.vulnerability_to_dict(vulnerability)).encode()) - def _maybe_remove_import_findings(self, vulnerability: osv.Bug): - """Remove any stale import findings for a successfully processed Bug,""" + def _maybe_remove_import_findings(self, vuln_id: str): + """Remove any stale import findings for a successfully processed Vuln,""" - finding = osv.ImportFinding.get_by_id(vulnerability.id()) + finding = osv.ImportFinding.get_by_id(vuln_id) if finding: - logging.info('Removing stale import finding for %s', vulnerability.id()) + logging.info('Removing stale import finding for %s', vuln_id) finding.key.delete() def _do_process_task(self, subscriber, subscription, ack_id, message, diff --git a/gcp/workers/worker/worker_test.py b/gcp/workers/worker/worker_test.py index 2e4fc8dc540..5298f3df2d1 100644 --- a/gcp/workers/worker/worker_test.py +++ b/gcp/workers/worker/worker_test.py @@ -18,6 +18,7 @@ import hashlib from gcp.workers.mock_test.mock_test_handler import MockDataHandler import http.server +import logging import os import shutil import tempfile @@ -27,10 +28,12 @@ from unittest import mock from google.cloud import ndb +from google.protobuf.json_format import MessageToDict import pygit2 import osv from osv import tests +from osv import vulnerability_pb2 import oss_fuzz import worker @@ -58,550 +61,6 @@ def _sha256(test_name): return hasher.hexdigest() -class OssFuzzDetailsTest(unittest.TestCase): - """Details generation tests.""" - - def test_basic(self): - """Basic tests.""" - crash_type = 'Heap-buffer-overflow' - crash_state = 'Foo\nBar\nBlah\n' - - summary = oss_fuzz.get_oss_fuzz_summary(crash_type, crash_state) - self.assertEqual('Heap-buffer-overflow in Foo', summary) - - details = oss_fuzz.get_oss_fuzz_details('1337', crash_type, crash_state) - self.assertEqual( - 'OSS-Fuzz report: ' - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1337\n\n' - '```\n' - 'Crash type: Heap-buffer-overflow\n' - 'Crash state:\n' - 'Foo\n' - 'Bar\n' - 'Blah\n```\n', - details, - ) - - def test_no_issue(self): - """Test generating details without an issue ID.""" - crash_type = 'Heap-buffer-overflow' - crash_state = 'Foo\nBar\nBlah\n' - - details = oss_fuzz.get_oss_fuzz_details('', crash_type, crash_state) - self.assertEqual( - '```\n' - 'Crash type: Heap-buffer-overflow\n' - 'Crash state:\n' - 'Foo\n' - 'Bar\n' - 'Blah\n```\n', - details, - ) - - def test_assert(self): - """Basic assertion failures.""" - crash_type = 'ASSERT' - crash_state = 'idx < length\nFoo\nBar\n' - - summary = oss_fuzz.get_oss_fuzz_summary(crash_type, crash_state) - self.assertEqual('ASSERT: idx < length', summary) - - details = oss_fuzz.get_oss_fuzz_details('1337', crash_type, crash_state) - self.assertEqual( - 'OSS-Fuzz report: ' - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1337\n\n' - '```\n' - 'Crash type: ASSERT\n' - 'Crash state:\n' - 'idx < length\n' - 'Foo\n' - 'Bar\n```\n', - details, - ) - - def test_bad_cast(self): - """Basic bad casts.""" - crash_type = 'Bad-cast' - crash_state = 'Bad-cast to A from B\nFoo\nBar\n' - - summary = oss_fuzz.get_oss_fuzz_summary(crash_type, crash_state) - self.assertEqual('Bad-cast to A from B', summary) - - details = oss_fuzz.get_oss_fuzz_details('1337', crash_type, crash_state) - self.assertEqual( - 'OSS-Fuzz report: ' - 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1337\n\n' - '```\n' - 'Crash type: Bad-cast\n' - 'Crash state:\n' - 'Bad-cast to A from B\n' - 'Foo\n' - 'Bar\n```\n', - details, - ) - - -class ImpactTest(unittest.TestCase, tests.ExpectationTest(TEST_DATA_DIR)): - """Impact task tests.""" - - def setUp(self): - ds_emulator.reset() - self.maxDiff = None - - tests.mock_clone(self, return_value=pygit2.Repository('osv-test')) - tests.mock_datetime(self) - - osv.SourceRepository( - id='oss-fuzz', name='oss-fuzz', db_prefix=['OSV-']).put() - - allocated_bug = osv.Bug( - db_id='OSV-2020-1337', - timestamp=datetime.datetime(2020, 1, 1, tzinfo=datetime.UTC), - source_id='oss-fuzz:123', - status=osv.BugStatus.UNPROCESSED, - public=False, - ) - allocated_bug.put() - - # This should be deleted and overwritten with the actual computed commits. - osv.AffectedCommits( - id='OSV-2020-1337-3', bug_id='OSV-2020-1337', page=3).put() - - def test_basic(self): - """Basic test.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.expect_dict_equal('basic', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict()) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'4c155795426727ea05575bd5904321def23c03f4', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - def test_range(self): - """Test commit range.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit=('b1c95a196f22d06fcf80df8c6691cd113d8fefff:' - '36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2'), - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.expect_dict_equal('range', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict()) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'4c155795426727ea05575bd5904321def23c03f4', - b'8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'b9b3fd4732695b83c3068b7b6a14bb372ec31f98', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - def test_fixed_range_too_long(self): - """Test fixed range that's too long.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit=('eefe8ec3f1f90d0e684890e810f3f21e8500a4cd:' - 'b587c21c36a84e16cfc6b39eb68578d43b5281ad'), - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - with self.assertLogs(level='WARNING') as logs: - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.assertEqual(logs.output, - ['WARNING:root:Too many commits in fix range.']) - - self.expect_dict_equal( - 'fixed_range_too_long', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict(), - ) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2', - b'3ea6feea9bb853596c727abab309476cc07d1505', - b'4c155795426727ea05575bd5904321def23c03f4', - b'8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'b9b3fd4732695b83c3068b7b6a14bb372ec31f98', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - def test_zero_regression_range(self): - """Test regression range with '0:X'.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='unknown:eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.expect_dict_equal( - 'zero_regression_range', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict(), - ) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'4c155795426727ea05575bd5904321def23c03f4', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - def test_simplify_range(self): - """Test simplifying commit range.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit=('a2ba949290915d445d34d0e8e9de2e7ce38198fc:' - 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd'), - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - fix_result = osv.FixResult( - id='oss-fuzz:123', - commit=('b1c95a196f22d06fcf80df8c6691cd113d8fefff:' - '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735'), - repo_url='https://repo.com/repo', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - fix_result.put() - - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.expect_dict_equal('simplify_range', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict()) - - def test_not_fixed(self): - """Test not fixed bug.""" - message = mock.Mock() - message.attributes = { - 'source_id': 'oss-fuzz:123', - 'allocated_id': 'OSV-2020-1337', - } - - regress_result = osv.RegressResult( - id='oss-fuzz:123', - commit='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - repo_url='https://repo.com/repo', - issue_id='9001', - project='project', - ecosystem='ecosystem', - summary='Heap-buffer-overflow in Foo', - details='DETAILS', - severity='MEDIUM', - reference_urls=['https://url/'], - ) - regress_result.put() - - with self.assertLogs(level='WARNING') as logs: - oss_fuzz.process_impact_task('oss-fuzz:123', message) - self.assertEqual(logs.output, - ['WARNING:root:Missing FixResult for oss-fuzz:123']) - - self.expect_dict_equal('not_fixed', - ndb.Key(osv.Bug, 'OSV-2020-1337').get()._to_dict()) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2', - b'3ea6feea9bb853596c727abab309476cc07d1505', - b'4c155795426727ea05575bd5904321def23c03f4', - b'88e5ae3c40c85b702ba89a34c29f233048abb12b', - b'8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'b587c21c36a84e16cfc6b39eb68578d43b5281ad', - b'b9b3fd4732695b83c3068b7b6a14bb372ec31f98', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) - - -class EcosystemTest(unittest.TestCase): - """Test getting ecosystem.""" - - def setUp(self): - self.tmp_dir = tempfile.mkdtemp() - self.oss_fuzz_checkout = os.path.join(self.tmp_dir, 'oss-fuzz') - osv.ensure_updated_checkout(worker.OSS_FUZZ_GIT_URL, self.oss_fuzz_checkout) - - def tearDown(self): - shutil.rmtree(self.tmp_dir, ignore_errors=True) - - def test_get_ecosystem(self): - """Test getting ecosystems.""" - self.assertEqual('PyPI', - oss_fuzz.get_ecosystem(self.oss_fuzz_checkout, 'pillow')) - self.assertEqual( - 'Go', - oss_fuzz.get_ecosystem(self.oss_fuzz_checkout, 'golang-protobuf'), - ) - self.assertEqual( - 'OSS-Fuzz', - oss_fuzz.get_ecosystem(self.oss_fuzz_checkout, 'openssl'), - ) - - -class MarkBugInvalidTest(unittest.TestCase): - """Test mark_bug_invalid.""" - - def setUp(self): - ds_emulator.reset() - - def test_mark_bug_invalid(self): - """Test mark_bug_invalid.""" - osv.SourceRepository( - id='oss-fuzz', name='oss-fuzz', db_prefix=['OSV-']).put() - osv.Bug(db_id='OSV-2021-1', source_id='oss-fuzz:1337').put() - osv.AffectedCommits(bug_id='OSV-2021-1').put() - osv.AffectedCommits(bug_id='OSV-2021-1').put() - - message = mock.Mock() - message.attributes = { - 'type': 'invalid', - 'testcase_id': '1337', - 'source_id': '', - } - - worker.mark_bug_invalid(message) - bug = ndb.Key(osv.Bug, 'OSV-2021-1').get() - self.assertEqual(osv.BugStatus.INVALID, bug.status) - - commits = list(osv.AffectedCommits.query()) - self.assertEqual(0, len(commits)) - - -class FindOssFuzzFixViaCommitTest(unittest.TestCase): - """Test finding OSS-Fuzz fixes via commits.""" - - def setUp(self): - self.repo = pygit2.Repository('osv-test') - - def test_has_issue_id(self): - """Test identifying the commit that has the issue ID.""" - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - '949f182716f037e25394bbb98d39b3295d230a29', - 'oss-fuzz:133713371337', - '12345', - ) - self.assertEqual('57e58a5d7c2bb3ce0f04f17ec0648b92ee82531f', commit) - - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - '25147a74d8aeb27b43665530ee121a2a1b19dc58', - 'oss-fuzz:133713371337', - '12345', - ) - self.assertEqual('25147a74d8aeb27b43665530ee121a2a1b19dc58', commit) - - def test_has_testcase_id(self): - """Test identifying the commit that has the testcase ID.""" - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - '00514d6f244f696e750a37083163992c6a50cfd3', - 'oss-fuzz:133713371337', - '12345', - ) - - self.assertEqual('90aa4127295b2c37b5f7fcf6a9772b12c99a5212', commit) - - def test_has_oss_fuzz_reference(self): - """Test identifying the commit that has the testcase ID.""" - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - 'b1fa81a5d59e9b4d6e276d82fc17058f3cf139d9', - 'oss-fuzz:133713371337', - '12345', - ) - - self.assertEqual('3c5dcf6a5bec14baab3b247d369a7270232e1b83', commit) - - def test_has_multiple_oss_fuzz_reference(self): - commit = oss_fuzz.find_oss_fuzz_fix_via_commit( - self.repo, - 'e1b045257bc5ca2a11d0476474f45ef77a0366c7', - '949f182716f037e25394bbb98d39b3295d230a29', - 'oss-fuzz:7331', - '54321', - ) - self.assertIsNone(commit) - - class RESTUpdateTest(unittest.TestCase, tests.ExpectationTest(TEST_DATA_DIR)): """Vulnerability update tests.""" @@ -612,6 +71,7 @@ def setUp(self): # Initialise fake source_repo. self.tmp_dir = tempfile.TemporaryDirectory() + self.addCleanup(self.tmp_dir.cleanup) self.source_repo = osv.SourceRepository( type=osv.SourceRepositoryType.REST_ENDPOINT, @@ -638,7 +98,7 @@ def setUp(self): def tearDown(self): self.httpd.shutdown() - self.tmp_dir.cleanup() + # self.tmp_dir.cleanup() def test_update(self): """Test updating rest.""" @@ -662,13 +122,16 @@ def test_git_ranges(self): sha = '6138604b5537caab2afc0ee3e2b11f1574fdd5d8f3c6173f64048341cf55aee4' task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, None) - osv.Bug( - db_id='CURL-CVE-2022-32221', - ecosystem=[''], + vuln_pb = vulnerability_pb2.Vulnerability(id='CURL-CVE-2022-32221') + vuln_pb.modified.FromDatetime(datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln_ds = osv.Vulnerability( + id='CURL-CVE-2022-32221', + modified=datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC), source_id='source:CURL-CVE-2022-32221.json', - import_last_modified=datetime.datetime( - 2020, 1, 1, 0, 0, tzinfo=datetime.UTC), - ).put() + modified_raw=datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC), + ) + osv.put_entities(vuln_ds, vuln_pb) + osv.gcs.upload_vulnerability(vuln_pb) message = mock.Mock() message.attributes = { 'source': 'source', @@ -678,39 +141,7 @@ def test_git_ranges(self): } task_runner._source_update(message) - self.expect_dict_equal('update_no_introduced', - osv.Bug.get_by_id('CURL-CVE-2022-32221')._to_dict()) - - @unittest.skip('Takes too long. ' - 'Also, firestore emulator cannot handle records of this size.') - def test_update_redhat_toobig(self): - """Test failure handling of a too-large Red Hat record.""" - solo_endpoint = 'RHSA-2018:3140' + '.json' - sha = 'a5cc068278ddad5f4c63d9b4f27baf59f296076306a24e850c5edde1b0232b0c' - - self.source_repo.db_prefix.append('RHSA-') - self.source_repo.put() - - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) - message = mock.Mock() - message.attributes = { - 'source': 'source', - 'path': solo_endpoint, - 'original_sha256': sha, - 'deleted': 'false', - } - with self.assertLogs(level='ERROR') as logs: - task_runner._source_update(message) - - self.assertIn( - 'ERROR:root:Not writing new entities for RHSA-2018:3140 since Bug.put() failed', - logs.output[0]) - self.assertIn( - 'ERROR:root:Unexpected exception while writing RHSA-2018:3140 to Datastore', - logs.output[1]) - - self.mock_publish.assert_not_called() + self.expect_dict_equal('update_no_introduced', MessageToDict(osv.gcs.get_by_id('CURL-CVE-2022-32221'))) class UpdateTest(unittest.TestCase, tests.ExpectationTest(TEST_DATA_DIR)): @@ -727,6 +158,20 @@ def _load_test_data(self, name): with open(os.path.join(TEST_DATA_DIR, name)) as f: return f.read() + def _put_vuln(self, vuln: vulnerability_pb2.Vulnerability, source_id: str): + ds_vuln = osv.Vulnerability( + id=vuln.id, + source_id=source_id, + modified=vuln.modified.ToDatetime(datetime.UTC), + is_withdrawn=vuln.HasField('withdrawn'), + modified_raw=vuln.modified.ToDatetime(datetime.UTC), + alias_raw=list(vuln.aliases), + related_raw=list(vuln.related), + upstream_raw=list(vuln.upstream), + ) + osv.put_entities(ds_vuln, vuln) + osv.gcs.upload_vulnerability(vuln) + def setUp(self): self.maxDiff = None ds_emulator.reset() @@ -738,6 +183,7 @@ def setUp(self): # Initialise fake source_repo. self.tmp_dir = tempfile.TemporaryDirectory() + self.addCleanup(self.tmp_dir.cleanup) self.mock_repo = tests.mock_repository(self) self.remote_source_repo_path = self.mock_repo.path @@ -773,59 +219,31 @@ def setUp(self): name='source', db_prefix=['OSV-'], repo_url='file://' + self.remote_source_repo_path, - editable=True, + editable=False, repo_username='', ) self.source_repo.put() - osv.Bug( - db_id='OSV-123', - project=['blah.com/package'], - ecosystem=['Go'], - source_id='source:OSV-123.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - osv.Bug( - db_id='OSV-124', - regressed='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - project=['blah.com/package'], - ecosystem=['Go'], - source_id='source:OSV-124.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - osv.Bug( - db_id='OSV-125', - regressed='eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - fixed='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - project=['blah.com/package'], - ecosystem=['Go'], - source_id='source:OSV-125.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - osv.Bug( - db_id='OSV-127', - project=['blah.com/package'], - ecosystem=['Go'], - source_id='source:OSV-127.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - osv.Bug( - db_id='OSV-131', - project=['blah.com/package'], - ecosystem=['ecosystem'], - source_id='source:OSV-131.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() + vuln = vulnerability_pb2.Vulnerability(id='OSV-123') + vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-123.yaml') + vuln = vulnerability_pb2.Vulnerability(id='OSV-124') + vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-124.yaml') + vuln = vulnerability_pb2.Vulnerability(id='OSV-125') + vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-125.yaml') + vuln = vulnerability_pb2.Vulnerability(id='OSV-127') + vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-127.yaml') + vuln = vulnerability_pb2.Vulnerability(id='OSV-131') + vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.published.CopyFrom(vuln.modified) + self._put_vuln(vuln, 'source:OSV-131.yaml') mock_publish = mock.patch('google.cloud.pubsub_v1.PublisherClient.publish') self.mock_publish = mock_publish.start() @@ -840,7 +258,8 @@ def setUp(self): }) def tearDown(self): - self.tmp_dir.cleanup() + # self.tmp_dir.cleanup() + pass def test_update(self): """Test basic update.""" @@ -855,16 +274,7 @@ def test_update(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-123', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_update', diff.patch) - self.expect_dict_equal('update', osv.Bug.get_by_id('OSV-123')._to_dict()) + self.expect_dict_equal('update', MessageToDict(osv.gcs.get_by_id('OSV-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -896,17 +306,7 @@ def test_update_limit(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-128', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_update_limit', diff.patch) - self.expect_dict_equal('update_limit', - osv.Bug.get_by_id('OSV-128')._to_dict()) + self.expect_dict_equal('update_limit', MessageToDict(osv.gcs.get_by_id('OSV-128'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -922,51 +322,6 @@ def test_update_limit(self): [codecs.encode(commit, 'hex') for commit in affected_commits.commits], ) - def test_update_add_fix(self): - """Test basic update adding a fix.""" - fix_result = osv.FixResult( - id='source:OSV-124.yaml', - repo_url='https://osv-test/repo/url', - commit='8d8242f545e9cec3e6d0d2e3f5bde8be1c659735', - ) - fix_result.put() - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) - message = mock.Mock() - message.attributes = { - 'source': 'source', - 'path': 'OSV-124.yaml', - 'original_sha256': _sha256('OSV-124.yaml'), - 'deleted': 'false', - } - task_runner._source_update(message) - - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-124', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_update_add_fix', diff.patch) - self.expect_dict_equal('update_add_fix', - osv.Bug.get_by_id('OSV-124')._to_dict()) - - affected_commits = list(osv.AffectedCommits.query()) - self.assertEqual(1, len(affected_commits)) - affected_commits = affected_commits[0] - - self.assertCountEqual( - [ - b'4c155795426727ea05575bd5904321def23c03f4', - b'b1c95a196f22d06fcf80df8c6691cd113d8fefff', - b'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd', - b'febfac1940086bc1f6d3dc33fda0a1d1ba336209', - b'ff8cc32ba60ad9cbb3b23f0a82aad96ebe9ff76b', - ], - [codecs.encode(commit, 'hex') for commit in affected_commits.commits], - ) def test_update_no_introduced(self): """Test update vulnerability with no introduced commit.""" @@ -982,17 +337,7 @@ def test_update_no_introduced(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-127', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_dict_equal('update_no_introduced', - osv.Bug.get_by_id('OSV-127')._to_dict()) - self.expect_equal('diff_update_no_introduced', diff.patch) + self.expect_dict_equal('update_no_introduced', MessageToDict(osv.gcs.get_by_id('OSV-127'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1038,52 +383,35 @@ def test_update_new(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-126', commit.message) - - self.expect_dict_equal('update_new', - osv.Bug.get_by_id('OSV-126')._to_dict()) + self.expect_dict_equal('update_new', MessageToDict(osv.gcs.get_by_id('OSV-126'))) def test_update_delete(self): """Test deletion.""" task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, None) - self.mock_repo.delete_file('OSV-123.yaml') - self.mock_repo.commit('User', 'user@email') - message = mock.Mock() message.attributes = { 'source': 'source', 'path': 'OSV-123.yaml', 'original_sha256': _sha256('OSV-123.yaml'), - 'deleted': 'true', + 'deleted': 'false', } task_runner._source_update(message) - bug = osv.Bug.get_by_id('OSV-123') - self.assertEqual(osv.BugStatus.INVALID, bug.status) + self.mock_repo.delete_file('OSV-123.yaml') + self.mock_repo.commit('User', 'user@email') - def test_update_no_changes(self): - """Test basic update (with no changes).""" - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) message = mock.Mock() message.attributes = { 'source': 'source', - 'path': 'OSV-125.yaml', - 'original_sha256': _sha256('OSV-125.yaml'), - 'deleted': 'false', + 'path': 'OSV-123.yaml', + 'original_sha256': _sha256('OSV-123.yaml'), + 'deleted': 'true', } task_runner._source_update(message) - - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('user@email', commit.author.email) - self.assertEqual('User', commit.author.name) + vuln = osv.Vulnerability.get_by_id('OSV-123') + self.assertTrue(vuln.is_withdrawn) + vuln_pb = osv.gcs.get_by_id('OSV-123') + self.assertTrue(vuln_pb.HasField('withdrawn')) def test_update_conflict(self): """Test basic update with a conflict.""" @@ -1106,65 +434,6 @@ def test_update_conflict(self): ], ) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - # Latest commit is still the user commit. - self.assertEqual('user@email', commit.author.email) - self.assertEqual('User', commit.author.name) - - def test_update_conflict_while_pushing(self): - """Test basic update with a conflict while pushing.""" - original_push_source_changes = osv.push_source_changes - - def mock_push_source_changes(*args, **kwargs): - self.mock_repo.add_file('OSV-123.yaml', 'changed') - self.mock_repo.commit('Another user', 'user@email') - - original_push_source_changes(*args, **kwargs) - - patcher = mock.patch('osv.push_source_changes') - self.addCleanup(patcher.stop) - patcher.start().side_effect = mock_push_source_changes - - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) - message = mock.Mock() - message.attributes = { - 'source': 'source', - 'path': 'OSV-123.yaml', - 'original_sha256': _sha256('OSV-123.yaml'), - 'deleted': 'false', - } - - with self.assertLogs(level='WARNING') as logs: - task_runner._source_update(message) - - self.assertEqual(len(logs.output), 4) - self.assertEqual( - logs.output[0], - 'ERROR:absl:Code extraction failed for OSV-123 (Unsupported ecosystem: Go). Skipping affected[0]', - ) - self.assertEqual( - logs.output[1], - 'WARNING:root:Failed to push: cannot push because a reference that you are trying to update on the remote contains commits that are not present locally.', - ) - self.assertRegex( - logs.output[2], - r'WARNING:root:Upstream hash for .*/OSV-123.yaml changed \(expected=.* vs current=.*\)', - ) - self.assertEqual( - logs.output[3], - 'WARNING:root:Discarding changes for OSV-123 due to conflicts.', - ) - - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - # Latest commit is still the user commit. - self.assertEqual('user@email', commit.author.email) - self.assertEqual('Another user', commit.author.name) - def test_update_pypi(self): """Test a PyPI entry.""" self.source_repo.ignore_git = False @@ -1189,17 +458,7 @@ def test_update_pypi(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update PYSEC-123', commit.message) - diff = repo.diff(commit.parents[0], commit) - self.expect_equal('diff_pypi', diff.patch) - - self.expect_dict_equal('update_pypi', - ndb.Key(osv.Bug, 'PYSEC-123').get()._to_dict()) + self.expect_dict_equal('update_pypi', MessageToDict(osv.gcs.get_by_id('PYSEC-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1239,16 +498,7 @@ def test_normalize_pypi(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_normalized_pypi', diff.patch) - - self.expect_dict_equal( - 'normalized_pypi', - ndb.Key(osv.Bug, 'PYSEC-456').get()._to_dict(), - ) + self.expect_dict_equal('normalized_pypi', MessageToDict(osv.gcs.get_by_id('PYSEC-456'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1289,19 +539,7 @@ def test_update_last_affected(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update PYSEC-124', commit.message) - diff = repo.diff(commit.parents[0], commit) - self.expect_equal('diff_last_affected', diff.patch) - - self.expect_dict_equal( - 'update_last_affected', - ndb.Key(osv.Bug, 'PYSEC-124').get()._to_dict(), - ) + self.expect_dict_equal('update_last_affected', MessageToDict(osv.gcs.get_by_id('PYSEC-124'))) def test_update_maven(self): """Test updating maven.""" @@ -1328,34 +566,22 @@ def test_update_maven(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update GHSA-838r-hvwh-24h8', commit.message) - diff = repo.diff(commit.parents[0], commit) - self.expect_equal('diff_maven', diff.patch) - - self.expect_dict_equal( - 'update_maven', - ndb.Key(osv.Bug, 'GHSA-838r-hvwh-24h8').get()._to_dict(), - ) + self.expect_dict_equal('update_maven', + MessageToDict(osv.gcs.get_by_id('GHSA-838r-hvwh-24h8'))) self.mock_publish.assert_not_called() def test_update_linux(self): """Test a Linux entry.""" - self.skipTest("Prefix not supported by schema") self.source_repo.ignore_git = False self.source_repo.versions_from_repo = False self.source_repo.detect_cherrypicks = False - self.source_repo.db_prefix.append('LINUX-') + self.source_repo.db_prefix.append('GSD-') self.source_repo.put() self.mock_repo.add_file( - 'LINUX-123.yaml', - self._load_test_data(os.path.join(TEST_DATA_DIR, 'LINUX-123.yaml')), + 'GSD-123.yaml', + self._load_test_data(os.path.join(TEST_DATA_DIR, 'GSD-123.yaml')), ) self.mock_repo.commit('User', 'user@email') task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, @@ -1363,16 +589,13 @@ def test_update_linux(self): message = mock.Mock() message.attributes = { 'source': 'source', - 'path': 'LINUX-123.yaml', - 'original_sha256': _sha256('LINUX-123.yaml'), + 'path': 'GSD-123.yaml', + 'original_sha256': _sha256('GSD-123.yaml'), 'deleted': 'false', } task_runner._source_update(message) - self.expect_dict_equal( - 'update_linux', - ndb.Key(osv.Bug, 'LINUX-123').get()._to_dict(), - ) + self.expect_dict_equal('update_linux', MessageToDict(osv.gcs.get_by_id('GSD-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1407,8 +630,7 @@ def test_update_bucket(self): } task_runner._source_update(message) - self.expect_dict_equal('update_bucket_0', - osv.Bug.get_by_id('GO-2021-0085')._to_dict()) + self.expect_dict_equal('update_bucket_0', MessageToDict(osv.gcs.get_by_id('GO-2021-0085'))) def test_update_debian(self): """Test updating debian.""" @@ -1434,20 +656,7 @@ def test_update_debian(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update DSA-3029-1', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_debian', diff.patch) - - self.expect_dict_equal( - 'update_debian', - ndb.Key(osv.Bug, 'DSA-3029-1').get()._to_dict(), - ) + self.expect_dict_equal('update_debian', MessageToDict(osv.gcs.get_by_id('DSA-3029-1'))) self.mock_publish.assert_not_called() @@ -1476,22 +685,7 @@ def test_update_alpine(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update CVE-2022-27449', commit.message) - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_alpine', diff.patch) - - self.expect_dict_equal( - 'update_alpine', - ndb.Key(osv.Bug, 'CVE-2022-27449').get()._to_dict(), - ) - - self.mock_publish.assert_not_called() + self.expect_dict_equal('update_alpine', MessageToDict(osv.gcs.get_by_id('CVE-2022-27449'))) def test_update_android(self): """Test updating Android through bucket entries.""" @@ -1514,8 +708,7 @@ def test_update_android(self): } task_runner._source_update(message) - self.expect_dict_equal('update_bucket_2', - osv.Bug.get_by_id('ASB-A-153358911')._to_dict()) + self.expect_dict_equal('update_bucket_2', MessageToDict(osv.gcs.get_by_id('ASB-A-153358911'))) def test_update_bad_ecosystem_new(self): """Test adding from an unsupported ecosystem.""" @@ -1538,8 +731,7 @@ def test_update_bad_ecosystem_new(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - bug = osv.Bug.get_by_id('OSV-129') - self.assertEqual(osv.BugStatus.INVALID, bug.status) + self.expect_dict_equal('update_bad_ecosystem_new', MessageToDict(osv.gcs.get_by_id('OSV-129'))) def test_update_partly_bad_ecosystem_new(self): """Test adding vuln with both supported and unsupported ecosystem.""" @@ -1562,17 +754,7 @@ def test_update_partly_bad_ecosystem_new(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - - self.assertEqual('infra@osv.dev', commit.author.email) - self.assertEqual('OSV', commit.author.name) - self.assertEqual('Update OSV-130', commit.message) - - self.expect_dict_equal( - 'update_partly_bad_ecosystem_new', - osv.Bug.get_by_id('OSV-130')._to_dict(), - ) + self.expect_dict_equal('update_partly_bad_ecosystem_new', MessageToDict(osv.gcs.get_by_id('OSV-130'))) def test_update_partly_bad_ecosystem_delete(self): """Test removal of only supported ecosystem in vulnerability with @@ -1590,9 +772,8 @@ def test_update_partly_bad_ecosystem_delete(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - - bug = osv.Bug.get_by_id('OSV-131') - self.assertEqual(osv.BugStatus.INVALID, bug.status) + + self.expect_dict_equal('update_partly_bad_ecosystem_delete', MessageToDict(osv.gcs.get_by_id('OSV-131'))) def test_update_bucket_cve(self): """Test a bucket entry that is a converted CVE and doesn't have an ecosystem.""" @@ -1616,9 +797,7 @@ def test_update_bucket_cve(self): } task_runner._source_update(message) - processed_result = osv.Bug.get_by_id('CVE-2016-15011') - - self.expect_dict_equal('update_bucket_cve', processed_result._to_dict()) + self.expect_dict_equal('update_bucket_cve', MessageToDict(osv.gcs.get_by_id('CVE-2016-15011'))) def test_last_affected_git(self): """Basic last_affected GIT enumeration.""" @@ -1647,16 +826,7 @@ def test_last_affected_git(self): } task_runner._source_update(message) - repo = pygit2.Repository(self.remote_source_repo_path) - commit = repo.head.peel() - diff = repo.diff(commit.parents[0], commit) - - self.expect_equal('diff_last_affected_git', diff.patch) - - self.expect_dict_equal( - 'last_affected_git', - ndb.Key(osv.Bug, 'OSV-TEST-last-affected-01').get()._to_dict(), - ) + self.expect_dict_equal('last_affected_git', MessageToDict(osv.gcs.get_by_id('OSV-TEST-last-affected-01'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -1671,51 +841,6 @@ def test_last_affected_git(self): [codecs.encode(commit, 'hex') for commit in affected_commits.commits], ) - def test_invalid_prefix(self): - """Test attempting to create a bug with a invalid db_prefix.""" - with self.assertRaises(ValueError): - # Default db_prefix is `OSV-` - osv.Bug( - db_id='BLAH-131', - project=['blah.com/package'], - ecosystem=['ecosystem'], - source_id='source:OSV-131.yaml', - import_last_modified=datetime.datetime( - 2021, 1, 1, 0, 0, tzinfo=datetime.UTC), - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - ).put() - - def test_dont_index_too_many_git_versions(self): - """Test that we don't index too many versions from Git.""" - self.source_repo.ignore_git = False - self.source_repo.versions_from_repo = True - self.source_repo.detect_cherrypicks = True - self.source_repo.put() - - # Use any valid OSV input test file here. - self.mock_repo.add_file( - 'OSV-TEST-last-affected-01.yaml', - self._load_test_data( - os.path.join(TEST_DATA_DIR, 'OSV-TEST-last-affected-01.yaml')), - ) - self.mock_repo.commit('User', 'user@email') - task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, - None) - message = mock.Mock() - message.attributes = { - 'source': 'source', - 'path': 'OSV-TEST-last-affected-01.yaml', - 'original_sha256': _sha256('OSV-TEST-last-affected-01.yaml'), - 'deleted': 'false', - } - task_runner._source_update(message) - - bug = ndb.Key(osv.Bug, 'OSV-TEST-last-affected-01').get() - - # Manually append versions over the expected version limit. - bug.affected_packages[0].versions = ['%05d' % i for i in range(5001)] - bug.put() - self.expect_dict_equal('dont_index_too_many_git_versions', bug._to_dict()) def test_update_clears_stale_import_finding(self): """A subsequent successful update removes the now stale import finding.""" @@ -1765,13 +890,15 @@ def test_ubuntu_severity(self): } task_runner._source_update(message) - bug = ndb.Key(osv.Bug, 'UBUNTU-CVE-2025-38094').get() - self.expect_dict_equal('ubuntu_severity_type', bug._to_dict()) + self.expect_dict_equal('ubuntu_severity_type', MessageToDict(osv.gcs.get_by_id('UBUNTU-CVE-2025-38094'))) def setUpModule(): """Set up the test module.""" print("Starting Datastore Emulator for the test suite...") + # Silence logs coming from Vanir + absl_logger = logging.getLogger('absl') + absl_logger.setLevel(logging.CRITICAL) global ds_emulator, ndb_client # Start the emulator BEFORE creating the ndb client ds_emulator = unittest.enterModuleContext(tests.datastore_emulator()) diff --git a/osv/models.py b/osv/models.py index 73f99a69442..cb829eee9ff 100644 --- a/osv/models.py +++ b/osv/models.py @@ -81,7 +81,7 @@ def _check_valid_event_type(prop, value): raise ValueError('Invalid event type: ' + value) -def utcnow(): +def utcnow() -> datetime.datetime: """For mocking.""" return datetime.datetime.now(datetime.UTC) @@ -960,7 +960,6 @@ class Vulnerability(ndb.Model): # When this record was truly last modified (including e.g. aliases/upstream). modified: datetime.datetime = ndb.DateTimeProperty(tzinfo=datetime.UTC) # Whether this record has been withdrawn - # TODO(michaelkedar): I don't think this is necessary is_withdrawn: bool = ndb.BooleanProperty() # Raw fields from the original source. @@ -1140,8 +1139,6 @@ def populate_entities_from_bug(entity: Bug): include_source=True, include_alias=True, include_upstream=True) def transaction(): - to_put = [] - to_delete = [] vuln = Vulnerability.get_by_id(entity.db_id) if vuln is None: vuln = Vulnerability(id=entity.db_id) @@ -1153,23 +1150,7 @@ def transaction(): vuln.alias_raw = entity.aliases vuln.related_raw = entity.related vuln.upstream_raw = entity.upstream_raw - to_put.append(vuln) - - old_affected = AffectedVersions.query( - AffectedVersions.vuln_id == entity.db_id).fetch() - if vuln.is_withdrawn: - # We do not want the vuln to be searchable if it's been withdrawn. - to_delete.append(ndb.Key(ListedVulnerability, vuln_pb.id)) - to_delete.extend(av.key for av in old_affected) - else: - to_put.append(ListedVulnerability.from_vulnerability(vuln_pb)) - new_affected = affected_from_bug(entity) - added, removed = diff_affected_versions(old_affected, new_affected) - to_put.extend(added) - to_delete.extend(r.key for r in removed) - - ndb.put_multi(to_put) - ndb.delete_multi(to_delete) + put_entities(vuln, vuln_pb) ndb.transaction(transaction) try: @@ -1180,6 +1161,23 @@ def transaction(): data = vuln_pb.SerializeToString(deterministic=True) pubsub.publish_failure(data, type='gcs_retry') +def put_entities(ds_vuln: Vulnerability, vuln_pb: vulnerability_pb2.Vulnerability): + to_put = [ds_vuln] + to_delete = [] + old_affected = AffectedVersions.query( + AffectedVersions.vuln_id == vuln_pb.id).fetch() + if ds_vuln.is_withdrawn: + to_delete.append(ndb.Key(ListedVulnerability, vuln_pb.id)) + to_delete.extend(av.key for av in old_affected) + else: + to_put.append(ListedVulnerability.from_vulnerability(vuln_pb)) + new_affected = affected_from_proto(vuln_pb) + added, removed = diff_affected_versions(old_affected, new_affected) + to_put.extend(added) + to_delete.extend(r.key for r in removed) + + ndb.put_multi(to_put) + ndb.delete_multi(to_delete) def _get_coarse_min_max(events: list[AffectedEvent], e_helper: ecosystems.OrderedEcosystem, @@ -1203,14 +1201,14 @@ def _get_coarse_min_max(events: list[AffectedEvent], # Coarse versioning not yet implemented for this ecosystem. pass except ValueError: - logging.warning('Invalid version in %s', db_id) + logging.warning('Invalid version in %s %s', db_id, events) coarse_min = MIN_COARSE_VERSION coarse_max = MAX_COARSE_VERSION return coarse_min, coarse_max -def _affected_versions_from_package(affected: AffectedPackage, +def _affected_versions_from_affected_proto(affected: vulnerability_pb2.Affected, db_id: str) -> list[AffectedVersions]: """Compute AffectedVersions for a single affected package.""" affected_versions = [] @@ -1232,16 +1230,25 @@ def _affected_versions_from_package(affected: AffectedPackage, repo_url = '' pkg_has_affected = False for r in affected.ranges: - if r.type == 'GIT': + if r.type == vulnerability_pb2.Range.Type.GIT: if not repo_url: - repo_url = r.repo_url + repo_url = r.repo continue - if r.type not in ('SEMVER', 'ECOSYSTEM'): - logging.warning('Unknown range type "%s" in %s', r.type, db_id) + if r.type not in (vulnerability_pb2.Range.Type.SEMVER, vulnerability_pb2.Range.Type.ECOSYSTEM): + logging.warning('Unknown range type "%d" in %s', r.type, db_id) continue - events = r.events - if not events: + if not r.events: continue + events = [] + for e in r.events: + if e.introduced: + events.append(AffectedEvent(type='introduced', value=e.introduced)) + elif e.fixed: + events.append(AffectedEvent(type='fixed', value=e.fixed)) + elif e.limit: + events.append(AffectedEvent(type='limit', value=e.limit)) + elif e.last_affected: + events.append(AffectedEvent(type='last_affected', value=e.last_affected)) pkg_has_affected = True coarse_min = MIN_COARSE_VERSION coarse_max = MAX_COARSE_VERSION @@ -1285,7 +1292,7 @@ def _affected_versions_from_package(affected: AffectedPackage, vuln_id=db_id, ecosystem=e, name=pkg_name, - versions=affected.versions, + versions=list(affected.versions), coarse_min=coarse_min, coarse_max=coarse_max, )) @@ -1313,18 +1320,18 @@ def _affected_versions_from_package(affected: AffectedPackage, vuln_id=db_id, ecosystem='GIT', name=normalize_repo_package(repo_url), - versions=affected.versions, + versions=list(affected.versions), )) return affected_versions -def affected_from_bug(entity: Bug) -> list[AffectedVersions]: - """Compute the AffectedVersions from a Bug entity.""" +def affected_from_proto(vuln_pb: vulnerability_pb2.Vulnerability) -> list[AffectedVersions]: + """Compute the AffectedVersions from a Vulnerability proto.""" affected_versions = [] - for affected in entity.affected_packages: + for affected in vuln_pb.affected: affected_versions.extend( - _affected_versions_from_package(affected, entity.db_id)) + _affected_versions_from_affected_proto(affected, vuln_pb.id)) # Deduplicate and sort the affected_versions unique_affected_dict = {av.sort_key(): av for av in affected_versions} @@ -1333,7 +1340,6 @@ def affected_from_bug(entity: Bug) -> list[AffectedVersions]: return affected_versions - def diff_affected_versions( old: list[AffectedVersions], new: list[AffectedVersions] ) -> tuple[list[AffectedVersions], list[AffectedVersions]]: diff --git a/osv/sources.py b/osv/sources.py index f6fe6e98156..91d63e2d0a5 100644 --- a/osv/sources.py +++ b/osv/sources.py @@ -90,7 +90,7 @@ def remove_implicit_resolver(cls, tag_to_remove): NoDatesSafeLoader.remove_implicit_resolver('tag:yaml.org,2002:timestamp') -def _parse_vulnerability_dict(path): +def _parse_vulnerability_dict(path: str) -> dict: """Parse a vulnerability file into a dict.""" with open(path) as f: ext = os.path.splitext(path)[1] @@ -106,7 +106,7 @@ def _parse_vulnerability_dict(path): @cache.cached(shared_cache) -def load_schema(): +def load_schema() -> dict: path = os.path.join( os.path.dirname(os.path.abspath(__file__)), 'osv-schema', 'validation', 'schema.json') @@ -115,13 +115,13 @@ def load_schema(): return json.loads(text) -def parse_vulnerability(path, key_path=None, strict=False): +def parse_vulnerability(path: str, key_path=None, strict=False) -> vulnerability_pb2.Vulnerability: """Parse vulnerability YAML/JSON.""" data = _parse_vulnerability_dict(path) return parse_vulnerability_from_dict(data, key_path, strict) -def _parse_vulnerabilities(data, key_path, strict=False): +def _parse_vulnerabilities(data: dict | list[dict], key_path, strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse multiple vulnerabilities.""" if isinstance(data, list): return [parse_vulnerability_from_dict(v, key_path, strict) for v in data] @@ -129,16 +129,16 @@ def _parse_vulnerabilities(data, key_path, strict=False): return [parse_vulnerability_from_dict(data, key_path, strict)] -def parse_vulnerabilities(path, key_path=None, strict=False): +def parse_vulnerabilities(path: str, key_path=None, strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse vulnerabilities (potentially multiple in a list).""" return _parse_vulnerabilities( _parse_vulnerability_dict(path), key_path, strict) -def parse_vulnerabilities_from_data(data_text, - extension, +def parse_vulnerabilities_from_data(data_text: str | bytes, + extension: str, key_path=None, - strict=False): + strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse vulnerabilities from data.""" if extension in YAML_EXTENSIONS: data = yaml.load(data_text, Loader=NoDatesSafeLoader) @@ -150,7 +150,7 @@ def parse_vulnerabilities_from_data(data_text, return _parse_vulnerabilities(data, key_path, strict) -def _get_nested_vulnerability(data, key_path=None): +def _get_nested_vulnerability(data: dict, key_path=None) -> dict: """Get nested vulnerability.""" if key_path: try: @@ -162,7 +162,7 @@ def _get_nested_vulnerability(data, key_path=None): return data -def parse_vulnerability_from_dict(data, key_path=None, strict=False): +def parse_vulnerability_from_dict(data: dict, key_path=None, strict=False) -> vulnerability_pb2.Vulnerability: """Parse vulnerability from dict.""" data = _get_nested_vulnerability(data, key_path) try: @@ -195,7 +195,7 @@ class YamlDumper(yaml.SafeDumper): YamlDumper.add_representer(str, _yaml_str_representer) -def vulnerability_to_dict(vulnerability): +def vulnerability_to_dict(vulnerability: vulnerability_pb2.Vulnerability) -> dict: """Convert Vulnerability to a dict.""" result = json_format.MessageToDict( vulnerability, preserving_proto_field_name=True) @@ -215,7 +215,7 @@ def vulnerability_to_dict(vulnerability): return result -def _write_vulnerability_dict(data, output_path, +def _write_vulnerability_dict(data: dict, output_path: str, modified_date_timestamp: float): """Write a vulnerability dict to disk.""" with open(output_path, 'w') as f: @@ -231,7 +231,7 @@ def _write_vulnerability_dict(data, output_path, def write_vulnerability(vulnerability: vulnerability_pb2.Vulnerability, - output_path, + output_path: str, key_path=None): """Update a vulnerability file on disk.""" if os.path.exists(output_path): From a84c6a845f37b47589ed7b92fc64f835bdac498e Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Thu, 22 Jan 2026 14:54:53 +1100 Subject: [PATCH 2/6] lint bigly --- gcp/workers/worker/worker.py | 85 ++++++++++++++++------------ gcp/workers/worker/worker_test.py | 94 +++++++++++++++++++------------ osv/models.py | 23 ++++++-- osv/sources.py | 31 +++++++--- 4 files changed, 145 insertions(+), 88 deletions(-) diff --git a/gcp/workers/worker/worker.py b/gcp/workers/worker/worker.py index 4819b96135a..281c892806e 100644 --- a/gcp/workers/worker/worker.py +++ b/gcp/workers/worker/worker.py @@ -269,7 +269,9 @@ def fix_invalid_ghsa(vulnerability): return True -def maybe_normalize_package_names(vulnerability: vulnerability_pb2.Vulnerability) -> vulnerability_pb2.Vulnerability: +def maybe_normalize_package_names( + vulnerability: vulnerability_pb2.Vulnerability +) -> vulnerability_pb2.Vulnerability: """Normalize package names as necessary.""" for affected in vulnerability.affected: if not affected.package.ecosystem: @@ -338,7 +340,7 @@ def _source_update(self, message): if not os.path.exists(vuln_path): logging.info('%s was deleted.', vuln_path) if deleted: - self._handle_deleted(source_repo, path) + self._handle_deleted(path) return @@ -356,7 +358,7 @@ def _source_update(self, message): current_sha256 = osv.sha256(vuln_path) elif source_repo.type == osv.SourceRepositoryType.BUCKET: if deleted: - self._handle_deleted(source_repo, path) + self._handle_deleted(path) return storage_client = storage.Client() bucket = storage_client.bucket(source_repo.bucket) @@ -379,7 +381,7 @@ def _source_update(self, message): repo = None elif source_repo.type == osv.SourceRepositoryType.REST_ENDPOINT: if deleted: - self._handle_deleted(source_repo, path) + self._handle_deleted(path) return vulnerabilities = [] request = requests.get(source_repo.link + path, timeout=_TIMEOUT_SECONDS) @@ -418,11 +420,11 @@ def _source_update(self, message): for vulnerability in vulnerabilities: self._do_update(source_repo, repo, vulnerability, path, original_sha256) - def _handle_deleted(self, source_repo, vuln_path): - """Handle existing vulns that have been subsequently deleted at their source. + def _handle_deleted(self, vuln_path: str): + """Handle existing vulns that have been subsequently deleted at their + source. Args: - source_repo: Source repository. vuln_path: Path to vulnerability. This marks the Vulnerability as withdrawn. @@ -431,6 +433,7 @@ def _handle_deleted(self, source_repo, vuln_path): vuln_and_gen = osv.gcs.get_by_id_with_generation(vuln_id) gcs_gen = None proto_vuln = None + def xact(): nonlocal gcs_gen nonlocal proto_vuln @@ -453,18 +456,19 @@ def xact(): proto_vuln = vulnerability_pb2.Vulnerability(id=vuln_id) else: proto_vuln, gcs_gen = vuln_and_gen - + if not proto_vuln.HasField('withdrawn'): # in case this was already withdrawn for some reason proto_vuln.withdrawn.FromDatetime(datetime.datetime.now(datetime.UTC)) if (not proto_vuln.HasField('modified') or - proto_vuln.withdrawn.ToDatetime(datetime.UTC) > proto_vuln.modified.ToDatetime(datetime.UTC)): + proto_vuln.withdrawn.ToDatetime( + datetime.UTC) > proto_vuln.modified.ToDatetime(datetime.UTC)): proto_vuln.modified.CopyFrom(proto_vuln.withdrawn) ds_vuln.is_withdrawn = True ds_vuln.modified = proto_vuln.modified.ToDatetime(datetime.UTC) osv.models.put_entities(ds_vuln, proto_vuln) osv.update_affected_commits(vuln_id, [], False) - + try: ndb.transaction(xact) except (google.api_core.exceptions.Cancelled, ndb.exceptions.Error) as e: @@ -476,12 +480,12 @@ def xact(): return try: osv.gcs.upload_vulnerability(proto_vuln, gcs_gen) - except Exception as e: - # Writing to bucket failed for some reason. Send a pub/sub message to retry. + except Exception: + # Writing to bucket failed for some reason. + # Send a pub/sub message to retry. logging.error('Writing to bucket failed for %s', vuln_id) data = proto_vuln.SerializeToString(deterministic=True) - pubsub.publish_failure(data, type='gcs_retry') - + osv.pubsub.publish_failure(data, type='gcs_retry') def _push_new_ranges_and_versions(self, source_repo, repo, vulnerability, output_path, original_sha256): @@ -497,7 +501,10 @@ def _push_new_ranges_and_versions(self, source_repo, repo, vulnerability, output_path: original_sha256, }) - def _analyze_vulnerability(self, source_repo: osv.SourceRepository, repo: pygit2.Repository | None, vulnerability: vulnerability_pb2.Vulnerability, path: str, + def _analyze_vulnerability(self, source_repo: osv.SourceRepository, + repo: pygit2.Repository | None, + vulnerability: vulnerability_pb2.Vulnerability, + path: str, original_sha256: str) -> osv.AnalyzeResult: """Analyze vulnerability and push new changes.""" result = osv.analyze( @@ -526,7 +533,9 @@ def _analyze_vulnerability(self, source_repo: osv.SourceRepository, repo: pygit2 vulnerability.id) raise UpdateConflictError - def _generate_vanir_signatures(self, vulnerability: vulnerability_pb2.Vulnerability) -> vulnerability_pb2.Vulnerability: + def _generate_vanir_signatures( + self, vulnerability: vulnerability_pb2.Vulnerability + ) -> vulnerability_pb2.Vulnerability: """Generates Vanir signatures for a vulnerability.""" if not any(r.type == vulnerability_pb2.Range.GIT for affected in vulnerability.affected @@ -563,12 +572,10 @@ def _generate_vanir_signatures(self, vulnerability: vulnerability_pb2.Vulnerabil vulnerability.id) return vulnerability - def _do_update(self, - source_repo: osv.SourceRepository, + def _do_update(self, source_repo: osv.SourceRepository, repo: pygit2.Repository | None, vulnerability: vulnerability_pb2.Vulnerability, - relative_path: str, - original_sha256: str): + relative_path: str, original_sha256: str): """Process updates on a vulnerability.""" _state.bug_id = vulnerability.id logging.info('Processing update for vulnerability %s', vulnerability.id) @@ -593,6 +600,7 @@ def _do_update(self, vuln_and_gen = osv.gcs.get_by_id_with_generation(vulnerability.id) gcs_gen = None + def xact(): # Fetch the current state from Datastore. nonlocal gcs_gen @@ -602,14 +610,16 @@ def xact(): # Compute the related fields here first. # TODO(michaelkedar): Make a related computation in relations cron related_raw = vulnerability.related - q = osv.Vulnerability.query(osv.Vulnerability.related_raw == vulnerability.id) + q = osv.Vulnerability.query( + osv.Vulnerability.related_raw == vulnerability.id) related = set(vulnerability.related).union(set(r.id for r in q)) vulnerability.related[:] = sorted(related) old_published = None # Update the schema version - # TODO(michaelkedar): osv.SCHEMA_VERSION is not kept up to date with the submodule + # TODO(michaelkedar): osv.SCHEMA_VERSION is not kept up to date with + # the osv-schema submodule vulnerability.schema_version = osv.SCHEMA_VERSION # Add PURLs and source if they are missing. source_link = None @@ -636,7 +646,8 @@ def xact(): # Create a 'pure' vulnerability object from the existing vuln for # comparison, excluding external data that would cause false positives. if vuln_and_gen is None: - logging.warning('Vulnerability %s found in Datastore but not in GCS.', vulnerability.id) + logging.warning('Vulnerability %s found in Datastore but not in GCS.', + vulnerability.id) # We need to write the vuln in this case has_changed = True else: @@ -669,26 +680,27 @@ def xact(): if has_changed: ds_vuln.modified = osv.utcnow() else: - # If no meaningful change, ensure last_modified reflects the source file's - # modified date, as only metadata might have changed. + # If no meaningful change, ensure last_modified reflects the source + # file's modified date, as only metadata might have changed. ds_vuln.modified = orig_modified_date # Overwrite aliases / upstream from computation - alias_group = osv.AliasGroup.query(osv.AliasGroup.bug_ids == vulnerability.id).get() + alias_group = osv.AliasGroup.query( + osv.AliasGroup.bug_ids == vulnerability.id).get() if alias_group: aliases = sorted(set(alias_group.bug_ids) - {vulnerability.id}) vulnerability.aliases[:] = aliases - if alias_group.last_modified > ds_vuln.modified: - ds_vuln.modified = alias_group.last_modified - upstream_group = osv.UpstreamGroup.query(osv.UpstreamGroup.db_id == vulnerability.id).get() + ds_vuln.modified = max(alias_group.last_modified, ds_vuln.modified) + upstream_group = osv.UpstreamGroup.query( + osv.UpstreamGroup.db_id == vulnerability.id).get() if upstream_group: vulnerability.upstream[:] = sorted(upstream_group.upstream_ids) - if upstream_group.last_modified > ds_vuln.modified: - ds_vuln.modified = upstream_group.last_modified + ds_vuln.modified = max(upstream_group.last_modified, ds_vuln.modified) # Make sure modified date is >= withdrawn date - if ds_vuln.is_withdrawn and vulnerability.withdrawn.ToDatetime(datetime.UTC) > ds_vuln.modified: + if ds_vuln.is_withdrawn and vulnerability.withdrawn.ToDatetime( + datetime.UTC) > ds_vuln.modified: ds_vuln.modified = vulnerability.withdrawn.ToDatetime(datetime.UTC) - + vulnerability.modified.FromDatetime(ds_vuln.modified) # Make sure vuln has a published date @@ -710,11 +722,12 @@ def xact(): raise try: osv.gcs.upload_vulnerability(vulnerability, gcs_gen) - except Exception as e: - # Writing to bucket failed for some reason. Send a pub/sub message to retry. + except Exception: + # Writing to bucket failed for some reason. + # Send a pub/sub message to retry. logging.error('Writing to bucket failed for %s', vulnerability.id) data = vulnerability.SerializeToString(deterministic=True) - pubsub.publish_failure(data, type='gcs_retry') + osv.pubsub.publish_failure(data, type='gcs_retry') self._notify_ecosystem_bridge(vulnerability) self._maybe_remove_import_findings(vulnerability.id) diff --git a/gcp/workers/worker/worker_test.py b/gcp/workers/worker/worker_test.py index 5298f3df2d1..aca44b6791a 100644 --- a/gcp/workers/worker/worker_test.py +++ b/gcp/workers/worker/worker_test.py @@ -20,7 +20,6 @@ import http.server import logging import os -import shutil import tempfile import threading import warnings @@ -34,7 +33,6 @@ import osv from osv import tests from osv import vulnerability_pb2 -import oss_fuzz import worker TEST_BUCKET = 'test-osv-source-bucket' @@ -98,7 +96,6 @@ def setUp(self): def tearDown(self): self.httpd.shutdown() - # self.tmp_dir.cleanup() def test_update(self): """Test updating rest.""" @@ -123,7 +120,8 @@ def test_git_ranges(self): task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, None) vuln_pb = vulnerability_pb2.Vulnerability(id='CURL-CVE-2022-32221') - vuln_pb.modified.FromDatetime(datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln_pb.modified.FromDatetime( + datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC)) vuln_ds = osv.Vulnerability( id='CURL-CVE-2022-32221', modified=datetime.datetime(2020, 1, 1, 0, 0, tzinfo=datetime.UTC), @@ -141,7 +139,9 @@ def test_git_ranges(self): } task_runner._source_update(message) - self.expect_dict_equal('update_no_introduced', MessageToDict(osv.gcs.get_by_id('CURL-CVE-2022-32221'))) + self.expect_dict_equal( + 'update_no_introduced', + MessageToDict(osv.gcs.get_by_id('CURL-CVE-2022-32221'))) class UpdateTest(unittest.TestCase, tests.ExpectationTest(TEST_DATA_DIR)): @@ -159,6 +159,7 @@ def _load_test_data(self, name): return f.read() def _put_vuln(self, vuln: vulnerability_pb2.Vulnerability, source_id: str): + """Put vulnerability into Datastore and GCS (emulators).""" ds_vuln = osv.Vulnerability( id=vuln.id, source_id=source_id, @@ -225,23 +226,28 @@ def setUp(self): self.source_repo.put() vuln = vulnerability_pb2.Vulnerability(id='OSV-123') - vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) vuln.published.CopyFrom(vuln.modified) self._put_vuln(vuln, 'source:OSV-123.yaml') vuln = vulnerability_pb2.Vulnerability(id='OSV-124') - vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) vuln.published.CopyFrom(vuln.modified) self._put_vuln(vuln, 'source:OSV-124.yaml') vuln = vulnerability_pb2.Vulnerability(id='OSV-125') - vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) vuln.published.CopyFrom(vuln.modified) self._put_vuln(vuln, 'source:OSV-125.yaml') vuln = vulnerability_pb2.Vulnerability(id='OSV-127') - vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) vuln.published.CopyFrom(vuln.modified) self._put_vuln(vuln, 'source:OSV-127.yaml') vuln = vulnerability_pb2.Vulnerability(id='OSV-131') - vuln.modified.FromDatetime(datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) + vuln.modified.FromDatetime( + datetime.datetime(2021, 1, 1, 0, 0, tzinfo=datetime.UTC)) vuln.published.CopyFrom(vuln.modified) self._put_vuln(vuln, 'source:OSV-131.yaml') @@ -257,10 +263,6 @@ def setUp(self): 'ecosystem': None, }) - def tearDown(self): - # self.tmp_dir.cleanup() - pass - def test_update(self): """Test basic update.""" task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, @@ -274,7 +276,8 @@ def test_update(self): } task_runner._source_update(message) - self.expect_dict_equal('update', MessageToDict(osv.gcs.get_by_id('OSV-123'))) + self.expect_dict_equal('update', + MessageToDict(osv.gcs.get_by_id('OSV-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -306,7 +309,8 @@ def test_update_limit(self): } task_runner._source_update(message) - self.expect_dict_equal('update_limit', MessageToDict(osv.gcs.get_by_id('OSV-128'))) + self.expect_dict_equal('update_limit', + MessageToDict(osv.gcs.get_by_id('OSV-128'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -322,7 +326,6 @@ def test_update_limit(self): [codecs.encode(commit, 'hex') for commit in affected_commits.commits], ) - def test_update_no_introduced(self): """Test update vulnerability with no introduced commit.""" task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, @@ -337,7 +340,8 @@ def test_update_no_introduced(self): } task_runner._source_update(message) - self.expect_dict_equal('update_no_introduced', MessageToDict(osv.gcs.get_by_id('OSV-127'))) + self.expect_dict_equal('update_no_introduced', + MessageToDict(osv.gcs.get_by_id('OSV-127'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -383,7 +387,8 @@ def test_update_new(self): } task_runner._source_update(message) - self.expect_dict_equal('update_new', MessageToDict(osv.gcs.get_by_id('OSV-126'))) + self.expect_dict_equal('update_new', + MessageToDict(osv.gcs.get_by_id('OSV-126'))) def test_update_delete(self): """Test deletion.""" @@ -458,7 +463,8 @@ def test_update_pypi(self): } task_runner._source_update(message) - self.expect_dict_equal('update_pypi', MessageToDict(osv.gcs.get_by_id('PYSEC-123'))) + self.expect_dict_equal('update_pypi', + MessageToDict(osv.gcs.get_by_id('PYSEC-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -498,7 +504,8 @@ def test_normalize_pypi(self): } task_runner._source_update(message) - self.expect_dict_equal('normalized_pypi', MessageToDict(osv.gcs.get_by_id('PYSEC-456'))) + self.expect_dict_equal('normalized_pypi', + MessageToDict(osv.gcs.get_by_id('PYSEC-456'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -539,7 +546,8 @@ def test_update_last_affected(self): } task_runner._source_update(message) - self.expect_dict_equal('update_last_affected', MessageToDict(osv.gcs.get_by_id('PYSEC-124'))) + self.expect_dict_equal('update_last_affected', + MessageToDict(osv.gcs.get_by_id('PYSEC-124'))) def test_update_maven(self): """Test updating maven.""" @@ -566,8 +574,8 @@ def test_update_maven(self): } task_runner._source_update(message) - self.expect_dict_equal('update_maven', - MessageToDict(osv.gcs.get_by_id('GHSA-838r-hvwh-24h8'))) + self.expect_dict_equal( + 'update_maven', MessageToDict(osv.gcs.get_by_id('GHSA-838r-hvwh-24h8'))) self.mock_publish.assert_not_called() @@ -595,7 +603,8 @@ def test_update_linux(self): } task_runner._source_update(message) - self.expect_dict_equal('update_linux', MessageToDict(osv.gcs.get_by_id('GSD-123'))) + self.expect_dict_equal('update_linux', + MessageToDict(osv.gcs.get_by_id('GSD-123'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -630,7 +639,8 @@ def test_update_bucket(self): } task_runner._source_update(message) - self.expect_dict_equal('update_bucket_0', MessageToDict(osv.gcs.get_by_id('GO-2021-0085'))) + self.expect_dict_equal('update_bucket_0', + MessageToDict(osv.gcs.get_by_id('GO-2021-0085'))) def test_update_debian(self): """Test updating debian.""" @@ -656,7 +666,8 @@ def test_update_debian(self): } task_runner._source_update(message) - self.expect_dict_equal('update_debian', MessageToDict(osv.gcs.get_by_id('DSA-3029-1'))) + self.expect_dict_equal('update_debian', + MessageToDict(osv.gcs.get_by_id('DSA-3029-1'))) self.mock_publish.assert_not_called() @@ -685,7 +696,8 @@ def test_update_alpine(self): } task_runner._source_update(message) - self.expect_dict_equal('update_alpine', MessageToDict(osv.gcs.get_by_id('CVE-2022-27449'))) + self.expect_dict_equal('update_alpine', + MessageToDict(osv.gcs.get_by_id('CVE-2022-27449'))) def test_update_android(self): """Test updating Android through bucket entries.""" @@ -708,7 +720,8 @@ def test_update_android(self): } task_runner._source_update(message) - self.expect_dict_equal('update_bucket_2', MessageToDict(osv.gcs.get_by_id('ASB-A-153358911'))) + self.expect_dict_equal('update_bucket_2', + MessageToDict(osv.gcs.get_by_id('ASB-A-153358911'))) def test_update_bad_ecosystem_new(self): """Test adding from an unsupported ecosystem.""" @@ -731,7 +744,8 @@ def test_update_bad_ecosystem_new(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - self.expect_dict_equal('update_bad_ecosystem_new', MessageToDict(osv.gcs.get_by_id('OSV-129'))) + self.expect_dict_equal('update_bad_ecosystem_new', + MessageToDict(osv.gcs.get_by_id('OSV-129'))) def test_update_partly_bad_ecosystem_new(self): """Test adding vuln with both supported and unsupported ecosystem.""" @@ -754,7 +768,8 @@ def test_update_partly_bad_ecosystem_new(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - self.expect_dict_equal('update_partly_bad_ecosystem_new', MessageToDict(osv.gcs.get_by_id('OSV-130'))) + self.expect_dict_equal('update_partly_bad_ecosystem_new', + MessageToDict(osv.gcs.get_by_id('OSV-130'))) def test_update_partly_bad_ecosystem_delete(self): """Test removal of only supported ecosystem in vulnerability with @@ -772,8 +787,9 @@ def test_update_partly_bad_ecosystem_delete(self): with self.assertLogs(level='WARNING'): task_runner._source_update(message) - - self.expect_dict_equal('update_partly_bad_ecosystem_delete', MessageToDict(osv.gcs.get_by_id('OSV-131'))) + + self.expect_dict_equal('update_partly_bad_ecosystem_delete', + MessageToDict(osv.gcs.get_by_id('OSV-131'))) def test_update_bucket_cve(self): """Test a bucket entry that is a converted CVE and doesn't have an ecosystem.""" @@ -797,7 +813,8 @@ def test_update_bucket_cve(self): } task_runner._source_update(message) - self.expect_dict_equal('update_bucket_cve', MessageToDict(osv.gcs.get_by_id('CVE-2016-15011'))) + self.expect_dict_equal('update_bucket_cve', + MessageToDict(osv.gcs.get_by_id('CVE-2016-15011'))) def test_last_affected_git(self): """Basic last_affected GIT enumeration.""" @@ -826,7 +843,9 @@ def test_last_affected_git(self): } task_runner._source_update(message) - self.expect_dict_equal('last_affected_git', MessageToDict(osv.gcs.get_by_id('OSV-TEST-last-affected-01'))) + self.expect_dict_equal( + 'last_affected_git', + MessageToDict(osv.gcs.get_by_id('OSV-TEST-last-affected-01'))) affected_commits = list(osv.AffectedCommits.query()) self.assertEqual(1, len(affected_commits)) @@ -841,7 +860,6 @@ def test_last_affected_git(self): [codecs.encode(commit, 'hex') for commit in affected_commits.commits], ) - def test_update_clears_stale_import_finding(self): """A subsequent successful update removes the now stale import finding.""" @@ -890,7 +908,9 @@ def test_ubuntu_severity(self): } task_runner._source_update(message) - self.expect_dict_equal('ubuntu_severity_type', MessageToDict(osv.gcs.get_by_id('UBUNTU-CVE-2025-38094'))) + self.expect_dict_equal( + 'ubuntu_severity_type', + MessageToDict(osv.gcs.get_by_id('UBUNTU-CVE-2025-38094'))) def setUpModule(): diff --git a/osv/models.py b/osv/models.py index cb829eee9ff..0473bc13fa3 100644 --- a/osv/models.py +++ b/osv/models.py @@ -1161,7 +1161,13 @@ def transaction(): data = vuln_pb.SerializeToString(deterministic=True) pubsub.publish_failure(data, type='gcs_retry') -def put_entities(ds_vuln: Vulnerability, vuln_pb: vulnerability_pb2.Vulnerability): + +def put_entities(ds_vuln: Vulnerability, + vuln_pb: vulnerability_pb2.Vulnerability): + """Puts entities (Vulnerability, ListedVulnerability, AffectedVersions) from + a given Vulnerability entity and proto into Datastore. + + Does not write to GCS.""" to_put = [ds_vuln] to_delete = [] old_affected = AffectedVersions.query( @@ -1179,6 +1185,7 @@ def put_entities(ds_vuln: Vulnerability, vuln_pb: vulnerability_pb2.Vulnerabilit ndb.put_multi(to_put) ndb.delete_multi(to_delete) + def _get_coarse_min_max(events: list[AffectedEvent], e_helper: ecosystems.OrderedEcosystem, db_id: str) -> tuple[str, str]: @@ -1208,8 +1215,8 @@ def _get_coarse_min_max(events: list[AffectedEvent], return coarse_min, coarse_max -def _affected_versions_from_affected_proto(affected: vulnerability_pb2.Affected, - db_id: str) -> list[AffectedVersions]: +def _affected_versions_from_affected_proto( + affected: vulnerability_pb2.Affected, db_id: str) -> list[AffectedVersions]: """Compute AffectedVersions for a single affected package.""" affected_versions = [] pkg_ecosystem = affected.package.ecosystem @@ -1234,7 +1241,8 @@ def _affected_versions_from_affected_proto(affected: vulnerability_pb2.Affected, if not repo_url: repo_url = r.repo continue - if r.type not in (vulnerability_pb2.Range.Type.SEMVER, vulnerability_pb2.Range.Type.ECOSYSTEM): + if r.type not in (vulnerability_pb2.Range.Type.SEMVER, + vulnerability_pb2.Range.Type.ECOSYSTEM): logging.warning('Unknown range type "%d" in %s', r.type, db_id) continue if not r.events: @@ -1248,7 +1256,8 @@ def _affected_versions_from_affected_proto(affected: vulnerability_pb2.Affected, elif e.limit: events.append(AffectedEvent(type='limit', value=e.limit)) elif e.last_affected: - events.append(AffectedEvent(type='last_affected', value=e.last_affected)) + events.append( + AffectedEvent(type='last_affected', value=e.last_affected)) pkg_has_affected = True coarse_min = MIN_COARSE_VERSION coarse_max = MAX_COARSE_VERSION @@ -1326,7 +1335,8 @@ def _affected_versions_from_affected_proto(affected: vulnerability_pb2.Affected, return affected_versions -def affected_from_proto(vuln_pb: vulnerability_pb2.Vulnerability) -> list[AffectedVersions]: +def affected_from_proto( + vuln_pb: vulnerability_pb2.Vulnerability) -> list[AffectedVersions]: """Compute the AffectedVersions from a Vulnerability proto.""" affected_versions = [] for affected in vuln_pb.affected: @@ -1340,6 +1350,7 @@ def affected_from_proto(vuln_pb: vulnerability_pb2.Vulnerability) -> list[Affect return affected_versions + def diff_affected_versions( old: list[AffectedVersions], new: list[AffectedVersions] ) -> tuple[list[AffectedVersions], list[AffectedVersions]]: diff --git a/osv/sources.py b/osv/sources.py index 91d63e2d0a5..8dde830fac1 100644 --- a/osv/sources.py +++ b/osv/sources.py @@ -115,13 +115,18 @@ def load_schema() -> dict: return json.loads(text) -def parse_vulnerability(path: str, key_path=None, strict=False) -> vulnerability_pb2.Vulnerability: +def parse_vulnerability(path: str, + key_path=None, + strict=False) -> vulnerability_pb2.Vulnerability: """Parse vulnerability YAML/JSON.""" data = _parse_vulnerability_dict(path) return parse_vulnerability_from_dict(data, key_path, strict) -def _parse_vulnerabilities(data: dict | list[dict], key_path, strict=False) -> list[vulnerability_pb2.Vulnerability]: +def _parse_vulnerabilities( + data: dict | list[dict], + key_path, + strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse multiple vulnerabilities.""" if isinstance(data, list): return [parse_vulnerability_from_dict(v, key_path, strict) for v in data] @@ -129,16 +134,20 @@ def _parse_vulnerabilities(data: dict | list[dict], key_path, strict=False) -> l return [parse_vulnerability_from_dict(data, key_path, strict)] -def parse_vulnerabilities(path: str, key_path=None, strict=False) -> list[vulnerability_pb2.Vulnerability]: +def parse_vulnerabilities( + path: str, + key_path=None, + strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse vulnerabilities (potentially multiple in a list).""" return _parse_vulnerabilities( _parse_vulnerability_dict(path), key_path, strict) -def parse_vulnerabilities_from_data(data_text: str | bytes, - extension: str, - key_path=None, - strict=False) -> list[vulnerability_pb2.Vulnerability]: +def parse_vulnerabilities_from_data( + data_text: str | bytes, + extension: str, + key_path=None, + strict=False) -> list[vulnerability_pb2.Vulnerability]: """Parse vulnerabilities from data.""" if extension in YAML_EXTENSIONS: data = yaml.load(data_text, Loader=NoDatesSafeLoader) @@ -162,7 +171,10 @@ def _get_nested_vulnerability(data: dict, key_path=None) -> dict: return data -def parse_vulnerability_from_dict(data: dict, key_path=None, strict=False) -> vulnerability_pb2.Vulnerability: +def parse_vulnerability_from_dict(data: dict, + key_path=None, + strict=False + ) -> vulnerability_pb2.Vulnerability: """Parse vulnerability from dict.""" data = _get_nested_vulnerability(data, key_path) try: @@ -195,7 +207,8 @@ class YamlDumper(yaml.SafeDumper): YamlDumper.add_representer(str, _yaml_str_representer) -def vulnerability_to_dict(vulnerability: vulnerability_pb2.Vulnerability) -> dict: +def vulnerability_to_dict( + vulnerability: vulnerability_pb2.Vulnerability) -> dict: """Convert Vulnerability to a dict.""" result = json_format.MessageToDict( vulnerability, preserving_proto_field_name=True) From 472f2422c76b56cb158d8b611bc4004eea3e0320 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Fri, 23 Jan 2026 11:34:18 +1100 Subject: [PATCH 3/6] more bug removal --- gcp/workers/importer/importer.py | 228 ++++-------------- gcp/workers/importer/importer_test.py | 39 --- tools/datafix/list_ids_for_source.py | 24 +- tools/datafix/old/README.md | 5 + tools/datafix/{ => old}/delete_bugs.py | 0 tools/datafix/{ => old}/delete_invalid.py | 0 tools/datafix/{ => old}/reput_all.py | 0 tools/datafix/{ => old}/reput_bugs.py | 0 tools/datafix/{ => old}/reput_helper.py | 0 tools/datafix/{ => old}/withdraw_invalid.py | 0 tools/datafix/reimport_gcs_record.py | 60 +++-- tools/datafix/request_worker_update_record.py | 38 +-- 12 files changed, 117 insertions(+), 277 deletions(-) create mode 100644 tools/datafix/old/README.md rename tools/datafix/{ => old}/delete_bugs.py (100%) rename tools/datafix/{ => old}/delete_invalid.py (100%) rename tools/datafix/{ => old}/reput_all.py (100%) rename tools/datafix/{ => old}/reput_bugs.py (100%) rename tools/datafix/{ => old}/reput_helper.py (100%) rename tools/datafix/{ => old}/withdraw_invalid.py (100%) diff --git a/gcp/workers/importer/importer.py b/gcp/workers/importer/importer.py index d7a57d1a1d8..afaf6e927b8 100755 --- a/gcp/workers/importer/importer.py +++ b/gcp/workers/importer/importer.py @@ -176,22 +176,6 @@ def _git_callbacks(self, source_repo): self._ssh_key_public_path, self._ssh_key_private_path) - def _request_analysis(self, bug, source_repo, repo): - """Request analysis.""" - if bug.source_of_truth == osv.SourceOfTruth.SOURCE_REPO: - path = osv.source_path(source_repo, bug) - file_path = os.path.join(osv.repo_path(repo), path) - if not os.path.exists(file_path): - logging.info( - 'Skipping analysis for %s as the source file no longer exists.', - path) - return - - original_sha256 = osv.sha256(file_path) - self._request_analysis_external(source_repo, original_sha256, path) - else: - self._request_internal_analysis(bug) - def _request_analysis_external(self, source_repo, original_sha256, @@ -229,7 +213,7 @@ def _request_internal_analysis(self, bug): req_timestamp=str(int(time.time()))) def _infer_id_from_invalid_data(self, name: str, content: bytes) -> str: - """Best effort infer the bug ID for data that failed to parse. + """Best effort infer the vulnerability ID for data that failed to parse. First try and extract something that looks like an "id" field, and failing that, try to infer from the filename. @@ -315,84 +299,6 @@ def checkout(self, source_repo): git_callbacks=self._git_callbacks(source_repo), branch=source_repo.repo_branch) - def import_new_oss_fuzz_entries(self, repo, oss_fuzz_source): - """Import new entries.""" - exported = [] - for bug in osv.Bug.query( - osv.Bug.source_of_truth == osv.SourceOfTruth.INTERNAL): - if bug.status != osv.BugStatus.PROCESSED: - continue - - if not bug.public: - continue - - # We don't index this as INTERNAL generally implies OSS-Fuzz anyway (at - # time of writing). - source_name, _ = osv.parse_source_id(bug.source_id) - if source_name != oss_fuzz_source.name: - continue - - vulnerability_path = os.path.join( - osv.repo_path(repo), osv.source_path(oss_fuzz_source, bug)) - os.makedirs(os.path.dirname(vulnerability_path), exist_ok=True) - if os.path.exists(vulnerability_path): - continue - - logging.info('Writing %s', bug.key.id()) - osv.write_vulnerability(bug.to_vulnerability(), vulnerability_path) - # The source of truth is now this yaml file. - bug.source_of_truth = osv.SourceOfTruth.SOURCE_REPO - exported.append(bug) - - # Commit Vulnerability changes back to the oss-fuzz source repository. - repo.index.add_all() - diff = repo.index.diff_to_tree(repo.head.peel().tree) - if not diff: - logging.info('No new entries, skipping committing.') - return - - logging.info('Committing and pushing new entries') - if osv.push_source_changes(repo, 'Import from OSS-Fuzz', - self._git_callbacks(oss_fuzz_source)): - ndb.put_multi(exported) - - def schedule_regular_updates(self, repo, source_repo: osv.SourceRepository): - """Schedule regular updates.""" - aest_time_now = aestnow() - - if (source_repo.last_update_date and - # OSV devs are mostly located in australia, - # so only schedule update near midnight sydney time - source_repo.last_update_date.date() >= aest_time_now.date()): - return - - for bug in osv.Bug.query( - osv.Bug.status == osv.BugStatus.PROCESSED, - osv.Bug.is_fixed == False, # pylint: disable=singleton-comparison - osv.Bug.source == source_repo.name): - self._request_analysis(bug, source_repo, repo) - - # yapf: disable - # Perform a re-analysis on existing oss-fuzz bugs for a period of time, - # more vulnerable releases might be made even though fixes have - # already been merged into master/main - cutoff_time = aest_time_now - datetime.timedelta(days=_BUG_REDO_DAYS) - query = osv.Bug.query(osv.Bug.status == osv.BugStatus.PROCESSED, - osv.Bug.source == source_repo.name, - osv.Bug.timestamp >= cutoff_time) - # yapf: enable - - for bug in query: - logging.info('Re-requesting impact for %s.', bug.key.id()) - if not bug.is_fixed: - # Previous query already requested impact tasks for unfixed bugs. - continue - - self._request_analysis(bug, source_repo, repo) - - source_repo.last_update_date = aest_time_now - source_repo.put() - def _vuln_ids_from_gcs_blob(self, client: storage.Client, source_repo: osv.SourceRepository, blob: storage.Blob) -> Optional[Tuple[str]]: @@ -524,10 +430,10 @@ def _convert_blob_to_vuln( # This is the typical execution path (when reimporting not triggered) with ndb_ctx: for vuln in vulns: - bug = osv.Bug.get_by_id(vuln.id) - # The bug already exists and has been modified since last import - if (bug is None or - bug.import_last_modified != vuln.modified.ToDatetime(datetime.UTC)): + v = osv.Vulnerability.get_by_id(vuln.id) + # The vuln already exists and has been modified since last import + if (v is None or + v.modified_raw != vuln.modified.ToDatetime(datetime.UTC)): return blob_hash, blob.name, blob.updated, vulns return None @@ -633,9 +539,9 @@ def _process_updates_git(self, source_repo: osv.SourceRepository): logging.error('Failed to parse %s: %s', changed_entry, str(e)) with open(path, "rb") as f: content = f.read() - bug_id = self._infer_id_from_invalid_data( + vuln_id = self._infer_id_from_invalid_data( os.path.basename(path), content) - self._record_quality_finding(source_repo.name, bug_id) + self._record_quality_finding(source_repo.name, vuln_id) # Don't include error stack trace as that might leak sensitive info import_failure_logs.append('Failed to parse vulnerability "' + path + '"') @@ -728,9 +634,9 @@ def _process_updates_bucket(self, source_repo: osv.SourceRepository): logging.error('Failed to parse vulnerability %s: %s', blob.name, e) # TODO(apollock): log finding here # This feels gross to redownload it again. - bug_id = self._infer_id_from_invalid_data(blob.name, - blob.download_as_bytes()) - self._record_quality_finding(source_repo.name, bug_id) + vuln_id = self._infer_id_from_invalid_data(blob.name, + blob.download_as_bytes()) + self._record_quality_finding(source_repo.name, vuln_id) import_failure_logs.append( 'Failed to parse vulnerability (when considering for import) "' + blob.name + '"') @@ -763,10 +669,10 @@ def _process_deletions_bucket(self, threshold: float = 10.0): """Process deletions from a GCS bucket source. - This validates the continued existence of every Bug in Datastore (for the - given source) against every bug currently in that source's GCS bucket, - calculating the delta. The bugs determined to have been - deleted from GCS are then flagged for treatment by the worker. + This validates the continued existence of every Vulnerability in Datastore + (for the given source) against every vulnerability currently in that + source's GCS bucket, calculating the delta. The vulnerabilities determined + to have been deleted from GCS are then flagged for treatment by the worker. If the delta is too large, something undesirable has been assumed to have happened and further processing is aborted. @@ -778,22 +684,24 @@ def _process_deletions_bucket(self, logging.info('Begin processing bucket for deletions: %s', source_repo.name) - # Get all the existing non-withdrawn Bug IDs for + # Get all the existing non-withdrawn Vulnerability IDs for # source_repo.name in Datastore - query = osv.Bug.query() - query = query.filter(osv.Bug.source == source_repo.name) + query = osv.Vulnerability.query() + # everything with source_id starting with 'name:' + query = query.filter(osv.Vulnerability.source_id > source_repo.name + ':', + osv.Vulnerability.source_id < source_repo.name + ';') result = list(query.fetch(keys_only=False)) - result.sort(key=lambda r: r.id()) + result.sort(key=lambda r: r.key.id()) VulnAndSource = namedtuple('VulnAndSource', ['id', 'path']) logging.info('Retrieved %s results from query', len(result)) vuln_ids_for_source = [ - VulnAndSource(id=r.id(), path=r.source_id.partition(':')[2]) + VulnAndSource(id=r.key.id(), path=r.source_id.partition(':')[2]) for r in result - if not r.withdrawn + if not r.is_withdrawn ] logging.info( - 'Counted %d Bugs for %s in Datastore', + 'Counted %d Vulnerabilities for %s in Datastore', len(vuln_ids_for_source), source_repo.name, extra={ @@ -854,11 +762,13 @@ def _process_deletions_bucket(self, v for v in vuln_ids_for_source if v.id not in vuln_ids_in_gcs ] - logging.info('%d Bugs in Datastore considered deleted from GCS for %s', - len(vulns_to_delete), source_repo.name) + logging.info( + '%d Vulnerabilities in Datastore considered deleted from GCS for %s', + len(vulns_to_delete), source_repo.name) if len(vulns_to_delete) == 0: - logging.info('No bugs to delete from GCS for %s', source_repo.name) + logging.info('No vulnerabilities to delete from GCS for %s', + source_repo.name) replace_importer_log(storage_client, source_repo.name, self._public_log_bucket, import_failure_logs) return @@ -985,10 +895,10 @@ def _process_updates_rest(self, source_repo: osv.SourceRepository): except Exception as e: logging.error('Failed to parse %s: %s', str(single_vuln.content), str(e)) - bug_id = self._infer_id_from_invalid_data( + vuln_id = self._infer_id_from_invalid_data( source_repo.link + vuln.id + source_repo.extension, single_vuln.content) - self._record_quality_finding(source_repo.name, bug_id) + self._record_quality_finding(source_repo.name, vuln_id) continue ts = None if ignore_last_import else vuln_modified @@ -1025,10 +935,11 @@ def _process_deletions_rest(self, threshold: float = 10.0): """Process deletions from a REST bucket source. - This validates the continued existence of every Bug in Datastore (for the - given source) against every bug currently in that source's REST API, - calculating the delta. The bugs determined to have been - deleted from the REST API are then flagged for treatment by the worker. + This validates the continued existence of every Vulnerability in Datastore + (for the given source) against every vulnerability currently in that + source's REST API, calculating the delta. The vulnerabilities determined + to have been deleted from the REST API are then flagged for treatment by + the worker. If the number of deletions exceeds the safety threshold (default 10%), the operation is aborted unless ignore_deletion_threshold is set on the @@ -1036,22 +947,24 @@ def _process_deletions_rest(self, """ logging.info('Begin processing REST for deletions: %s', source_repo.name) - # Get all the existing non-withdrawn Bug IDs for + # Get all the existing non-withdrawn Vulnerability IDs for # source_repo.name in Datastore - query = osv.Bug.query() - query = query.filter(osv.Bug.source == source_repo.name) + query = osv.Vulnerability.query() + # everything with source_id starting with 'name:' + query = query.filter(osv.Vulnerability.source_id > source_repo.name + ':', + osv.Vulnerability.source_id < source_repo.name + ';') result = list(query.fetch(keys_only=False)) - result.sort(key=lambda r: r.id()) + result.sort(key=lambda r: r.key.id()) VulnAndSource = namedtuple('VulnAndSource', ['id', 'path']) logging.info('Retrieved %s results from query', len(result)) vuln_ids_for_source = [ - VulnAndSource(id=r.id(), path=r.source_id.partition(':')[2]) + VulnAndSource(id=r.key.id(), path=r.source_id.partition(':')[2]) for r in result - if not r.withdrawn + if not r.is_withdrawn ] logging.info( - 'Counted %d Bugs for %s in Datastore', + 'Counted %d Vulnerabilities for %s in Datastore', len(vuln_ids_for_source), source_repo.name, extra={ @@ -1097,11 +1010,13 @@ def _process_deletions_rest(self, v for v in vuln_ids_for_source if v.id not in vuln_ids_in_rest ] - logging.info('%d Bugs in Datastore considered deleted from REST for %s', - len(vulns_to_delete), source_repo.name) + logging.info( + '%d Vulnerabilities in Datastore considered deleted from REST for %s', + len(vulns_to_delete), source_repo.name) if len(vulns_to_delete) == 0: - logging.info('No bugs to delete from REST for %s', source_repo.name) + logging.info('No vulnerabilities to delete from REST for %s', + source_repo.name) return # sanity check: deleting a lot/all of the records for source in Datastore is @@ -1168,50 +1083,6 @@ def process_deletions(self, source_repo: osv.SourceRepository): logging.error('Invalid repo type: %s - %d', source_repo.name, source_repo.type) - def process_oss_fuzz(self, oss_fuzz_source): - """Process OSS-Fuzz source data.""" - # Export OSS-Fuzz Vulnerability data into source repository. - # OSS-Fuzz data is first imported via a special Pub/Sub pipeline into OSV. - # This data needs to be dumped into a publicly accessible/editable place for - # manual/human editing if required. - # - # This then becomes the source of truth where any edits are imported back - # into OSV. - repo = self.checkout(oss_fuzz_source) - self.schedule_regular_updates(repo, oss_fuzz_source) - self.import_new_oss_fuzz_entries(repo, oss_fuzz_source) - self.export_oss_fuzz_to_bucket() - - def export_oss_fuzz_to_bucket(self): - """Export OSS-Fuzz vulns to bucket.""" - storage_client = storage.Client() - bucket = storage_client.get_bucket(self._oss_fuzz_export_bucket) - - def export_oss_fuzz(vulnerability, testcase_id, issue_id): - """Export a single vulnerability.""" - try: - blob = bucket.blob(f'testcase/{testcase_id}.json') - data = json.dumps(osv.vulnerability_to_dict(vulnerability)) - blob.upload_from_string(data, retry=retry.DEFAULT_RETRY) - - if not issue_id: - return - - blob = bucket.blob(f'issue/{issue_id}.json') - blob.upload_from_string(data, retry=retry.DEFAULT_RETRY) - except Exception as e: - logging.error('Failed to export: %s', e) - - with concurrent.futures.ThreadPoolExecutor( - max_workers=_EXPORT_WORKERS) as executor: - for bug in osv.Bug.query(osv.Bug.ecosystem == 'OSS-Fuzz'): - if not bug.public: - continue - - _, source_id = osv.parse_source_id(bug.source_id) - executor.submit(export_oss_fuzz, bug.to_vulnerability(), source_id, - bug.issue_id) - def preprocess_vuln(vuln: vulnerability_pb2.Vulnerability): """Do preprocessing steps on vulnerability that the worker does.""" @@ -1360,6 +1231,7 @@ def put_if_newer_batch( """ # TODO(michaelkedar): Putting so many records is causing slowdowns on the # importer, need to reconsider the approach. + # TODO(michaelkedar): This code is still using old Bug entities. return # pylint: disable=unreachable if not vulns_and_paths: diff --git a/gcp/workers/importer/importer_test.py b/gcp/workers/importer/importer_test.py index fc2197d8c55..ca50cee6c76 100644 --- a/gcp/workers/importer/importer_test.py +++ b/gcp/workers/importer/importer_test.py @@ -119,45 +119,6 @@ def test_nop(self, mock_publish: mock.MagicMock): mock_publish.assert_not_called() - @mock.patch('google.cloud.pubsub_v1.PublisherClient.publish') - def test_scheduled_updates_already_done(self, mock_publish): # pylint: disable=unused-argument - """Scheduled updates already done.""" - # TODO(michaelkedar): This test doesn't check anything - self.skipTest("Not Implemented") - source_repo = osv.SourceRepository.get_by_id('oss-fuzz') - source_repo.last_update_date = importer.utcnow() - source_repo.put() - - self.mock_repo.add_file('proj/OSV-2021-1337.yaml', _MIN_VALID_VULNERABILITY) - self.mock_repo.commit('OSV', 'infra@osv.dev') - osv.Bug( - db_id='OSV-2021-1337', - project=['proj'], - fixed='', - status=1, - source_id='oss-fuzz:123', - source_of_truth=osv.SourceOfTruth.SOURCE_REPO, - timestamp=datetime.datetime( - 2020, 1, 1, 0, 0, 0, 0, tzinfo=datetime.UTC)).put() - - imp = importer.Importer('fake_public_key', 'fake_private_key', self.tmp_dir, - importer.DEFAULT_PUBLIC_LOGGING_BUCKET, 'bucket', - True, False) - imp.run() - - @mock.patch('google.cloud.pubsub_v1.PublisherClient.publish') - def test_no_updates(self, mock_publish): # pylint: disable=unused-argument - """Test no update marker.""" - # TODO(michaelkedar): This test doesn't check anything - self.skipTest("Not Implemented") - self.mock_repo.add_file('2021-111.yaml', _MIN_VALID_VULNERABILITY) - self.mock_repo.commit('User', 'user@email', 'message. OSV-NO-UPDATE') - - imp = importer.Importer('fake_public_key', 'fake_private_key', self.tmp_dir, - importer.DEFAULT_PUBLIC_LOGGING_BUCKET, 'bucket', - True, False) - imp.run() - @mock.patch('google.cloud.pubsub_v1.PublisherClient.publish') def test_ignore(self, mock_publish): # pylint: disable=unused-argument """Test ignoring.""" diff --git a/tools/datafix/list_ids_for_source.py b/tools/datafix/list_ids_for_source.py index 009640b943e..eeb321b8403 100755 --- a/tools/datafix/list_ids_for_source.py +++ b/tools/datafix/list_ids_for_source.py @@ -45,25 +45,27 @@ def main() -> None: ds_client = datastore.Client(project=args.project) - query = ds_client.query(kind="Bug") - query.add_filter(filter=PropertyFilter("source", "=", args.source_id)) - query.add_filter(filter=PropertyFilter("status", "=", 1)) + query = ds_client.query(kind="Vulnerability") + query.add_filter( + filter=PropertyFilter("source_id", ">", args.source_id + ':')) + query.add_filter( + filter=PropertyFilter("source_id", "<", args.source_id + ';')) print(f"Running query {query.filters} " f"on {query.kind} (in {query.project})...") result = list(query.fetch()) - print(f"Retrieved {len(result)} bugs") + print(f"Retrieved {len(result)} vulnerabilities") - bugs = [] + vulnerabilities = [] # Chunk the results to modify in acceptibly sized batches for the API. for batch in range(0, len(result), MAX_BATCH_SIZE): - for bug in result[batch:batch + MAX_BATCH_SIZE]: - print(f"{bug['db_id']}") - bugs.append(bug['db_id']) + for vuln in result[batch:batch + MAX_BATCH_SIZE]: + print(f"{vuln.key.name}") + vulnerabilities.append(vuln.key.name) if args.txt: - with open('bug_ids.txt', 'w') as f: - for bug in bugs: - f.write(f'{bug}\n') + with open('vuln_ids.txt', 'w') as f: + for vuln in vulnerabilities: + f.write(f'{vuln}\n') if __name__ == "__main__": diff --git a/tools/datafix/old/README.md b/tools/datafix/old/README.md new file mode 100644 index 00000000000..2939ad91fc6 --- /dev/null +++ b/tools/datafix/old/README.md @@ -0,0 +1,5 @@ +The scripts in this folder all operate on the old Bug data model. + +OSV.dev has moved away from using Bugs as the source of truth for vulnerabilities, so these scripts are no longer useful, or will need to be rewritten. + +They are retained for historical/documentational purposes. diff --git a/tools/datafix/delete_bugs.py b/tools/datafix/old/delete_bugs.py similarity index 100% rename from tools/datafix/delete_bugs.py rename to tools/datafix/old/delete_bugs.py diff --git a/tools/datafix/delete_invalid.py b/tools/datafix/old/delete_invalid.py similarity index 100% rename from tools/datafix/delete_invalid.py rename to tools/datafix/old/delete_invalid.py diff --git a/tools/datafix/reput_all.py b/tools/datafix/old/reput_all.py similarity index 100% rename from tools/datafix/reput_all.py rename to tools/datafix/old/reput_all.py diff --git a/tools/datafix/reput_bugs.py b/tools/datafix/old/reput_bugs.py similarity index 100% rename from tools/datafix/reput_bugs.py rename to tools/datafix/old/reput_bugs.py diff --git a/tools/datafix/reput_helper.py b/tools/datafix/old/reput_helper.py similarity index 100% rename from tools/datafix/reput_helper.py rename to tools/datafix/old/reput_helper.py diff --git a/tools/datafix/withdraw_invalid.py b/tools/datafix/old/withdraw_invalid.py similarity index 100% rename from tools/datafix/withdraw_invalid.py rename to tools/datafix/old/withdraw_invalid.py diff --git a/tools/datafix/reimport_gcs_record.py b/tools/datafix/reimport_gcs_record.py index 41270fc23d7..a53e5abdbd0 100755 --- a/tools/datafix/reimport_gcs_record.py +++ b/tools/datafix/reimport_gcs_record.py @@ -6,9 +6,9 @@ * the creation time of the GCS object is newer than the last_update_date for the data source in SourceRepository in Cloud Datastore * either of: - * the vulnerability does not exist in Bug in Cloud Datastore at all, or - * the Modified field of the record differs from the existing Bug's - import_last_modified in Cloud Datastore. + * the vulnerability does not exist in Vulnerability in Datastore at all, or + * the Modified field of the record differs from the existing Vulnerability's + modified_raw in Cloud Datastore. This defaults to running in dry-run mode against the staging instance. It supports an arbitrary number of vulnerability IDs on the command line. @@ -21,6 +21,7 @@ from google.cloud.datastore.query import PropertyFilter import argparse +from datetime import datetime, timezone import os import functools @@ -31,13 +32,13 @@ class UnexpectedSituation(Exception): pass -def objname_for_bug(client: datastore.Client, bug: datastore.entity.Entity, - forced_bucket_name: str) -> dict: - """Returns the GCS object details for a given Bug. +def objname_for_vuln(client: datastore.Client, vuln: datastore.entity.Entity, + forced_bucket_name: str) -> dict: + """Returns the GCS object details for a given Vulnerability. Args: client: an initialized Cloud Datastore client. - bug: a Bug Cloud Datastore entity. + vuln: a Vulnerability Cloud Datastore entity. forced_bucket_name: bucket name (with optional colon-separated path) to forcibly use. @@ -45,7 +46,7 @@ def objname_for_bug(client: datastore.Client, bug: datastore.entity.Entity, A dict with keys for the GCS uri, the bucket name and path within the bucket. """ - source_object_path = bug["source_id"].split(":")[1] + source, _, source_object_path = vuln["source_id"].partition(":") if forced_bucket_name: (bucket, _, bucketpath) = forced_bucket_name.partition(":") @@ -61,7 +62,7 @@ def objname_for_bug(client: datastore.Client, bug: datastore.entity.Entity, os.path.join(bucketpath, os.path.basename(source_object_path)) } - bucket = bucket_for_source(client, bug["source"]) + bucket = bucket_for_source(client, source) return { "uri": "gs://" + os.path.join(bucket, source_object_path), "bucket": bucket, @@ -133,10 +134,10 @@ def main() -> None: parser = argparse.ArgumentParser( description="Trigger the reimport of individual GCS-sourced records") parser.add_argument( - "bugs", + "vulns", action="append", nargs="+", - help=f"The bug IDs to operate on ({MAX_QUERY_SIZE} at most)") + help=f"The vuln IDs to operate on ({MAX_QUERY_SIZE} at most)") parser.add_argument( "--dry-run", action=argparse.BooleanOptionalAction, @@ -170,46 +171,43 @@ def main() -> None: "for the object in GCS (e.g. `cve-osv-conversion:osv-output`)")) args = parser.parse_args() - if len(args.bugs[0]) > MAX_QUERY_SIZE: - parser.error(f"Only {MAX_QUERY_SIZE} bugs can be supplied. " + if len(args.vulns[0]) > MAX_QUERY_SIZE: + parser.error(f"Only {MAX_QUERY_SIZE} vulns can be supplied. " f"Try running with xargs -n {MAX_QUERY_SIZE}") ds_client = datastore.Client(project=args.project) url_base = url_for_project(args.project) - query = ds_client.query(kind="Bug") - query.add_filter(filter=PropertyFilter("db_id", "IN", args.bugs[0])) - print(f"Running query {query.filters[0]} " - f"on {query.kind} (in {query.project})...") - result = list(query.fetch()) - print(f"Retrieved {len(result)} bugs to validate for operating on") - result_to_fix = [r for r in result if r['source_of_truth'] == 2] - print(f"There are {len(result_to_fix)} bugs to operate on...") + print("Running fetch") + result = ds_client.get_multi( + [ds_client.key('Vulnerability', vuln_id) for vuln_id in args.vulns[0]]) + print(f"Retrieved {len(result)} vulns to operate on...") try: with ds_client.transaction() as xact: - for bug in result_to_fix: + for vuln in result: try: - bug_in_gcs = objname_for_bug( - ds_client, bug, forced_bucket_name=args.bucket) + vuln_in_gcs = objname_for_vuln( + ds_client, vuln, forced_bucket_name=args.bucket) except UnexpectedSituation as e: if args.verbose: - print(f"Skipping {bug['db_id']}, got {e}\n") + print(f"Skipping {vuln.key.name}, got {e}\n") continue if args.verbose: - print(f"Resetting modification time for {bug_in_gcs['uri']}") + print(f"Resetting modification time for {vuln_in_gcs['uri']}") if not args.dryrun: try: - reset_object_modification(bug_in_gcs["bucket"], bug_in_gcs["path"]) + reset_object_modification(vuln_in_gcs["bucket"], + vuln_in_gcs["path"]) except NotFound as e: if args.verbose: print(f"Skipping, got {e}\n") continue - bug["import_last_modified"] = None + vuln["modified_raw"] = datetime.fromtimestamp(0, timezone.utc) if args.verbose: - print(f"Resetting import_last_modified for {bug['db_id']}") - print(f"Review at {url_base}{bug['db_id']} when reimport completes.") - xact.put(bug) + print(f"Resetting modified_raw for {vuln.key.name}") + print(f"Review at {url_base}{vuln.key.name} when reimport completes.") + xact.put(vuln) if args.dryrun: raise Exception("Dry run mode. Preventing transaction from commiting") # pylint: disable=broad-exception-raised except Exception as e: diff --git a/tools/datafix/request_worker_update_record.py b/tools/datafix/request_worker_update_record.py index 967847d00e8..b469331b4c1 100755 --- a/tools/datafix/request_worker_update_record.py +++ b/tools/datafix/request_worker_update_record.py @@ -79,7 +79,7 @@ def request_url_update(record_url, project_id, source, path, timeout, if not allow_delete or e.response.status_code != 404: print(e) return - print(f'Bug was deleted: {record_url}') + print(f'Vulnerability was deleted: {record_url}') deleted = True publish_update_message(project_id, PUBSUB_TOPIC_ID, source, path, @@ -101,12 +101,12 @@ def main(): "--allow-delete", action="store_true", default=False, - help="Delete bugs if not found in source (GIT only)") + help="Delete vulns if not found in source (GIT only)") parser.add_argument( - "bugs", + "vulns", action="append", nargs="*", - help="The bug IDs to operate on. If not specified, all bugs from the " + help="The vuln IDs to operate on. If not specified, all vulns from the " "source will be processed.") args = parser.parse_args() @@ -118,32 +118,34 @@ def main(): if not source_repo: raise ValueError(f"Source repository '{args.source}' not found.") - bugs_to_process = [] - if args.bugs and args.bugs[0]: - bugs_to_process = args.bugs[0] + vulns_to_process = [] + if args.vulns and args.vulns[0]: + vulns_to_process = args.vulns[0] else: - print( - f'No bug IDs provided. Querying all bugs for source {args.source}...') - query = osv.Bug.query(osv.Bug.source == args.source) - bugs_to_process = [b.id() for b in query.iter(keys_only=True)] - print(f'Found {len(bugs_to_process)} bugs to update.') + print('No vuln IDs provided. ' + 'Querying all vulns for source {args.source}...') + query = osv.Vulnerability.query( + osv.Vulnerability.source_id > args.source + ':', + osv.Vulnerability.source_id < (args.source + ';')) + vulns_to_process = [b.id() for b in query.iter(keys_only=True)] + print(f'Found {len(vulns_to_process)} bugs to update.') confirm = input('Are you sure you want to proceed? (y/N) ') if confirm.lower() not in ('y', 'yes'): print('Aborting.') return if source_repo.type == osv.SourceRepositoryType.REST_ENDPOINT: - for bug in bugs_to_process: - record_url = f'{source_repo.link}{bug}{source_repo.extension}' - path = f'{bug}{source_repo.extension}' + for vuln in vulns_to_process: + record_url = f'{source_repo.link}{vuln}{source_repo.extension}' + path = f'{vuln}{source_repo.extension}' request_url_update(record_url, args.project_id, args.source, path, args.timeout, False) if source_repo.type == osv.SourceRepositoryType.GIT: - for bug in bugs_to_process: - entity = osv.Bug.get_by_id(bug) + for vuln in vulns_to_process: + entity = osv.Vulnerability.get_by_id(vuln) if not entity: - print(f'Warning: {bug} does not exist in Datastore, skipping.') + print(f'Warning: {vuln} does not exist in Datastore, skipping.') continue path = entity.source_id.split(':')[1] From eee01323b59243411a0ee348a091c7f59a7f3d33 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Fri, 23 Jan 2026 14:20:39 +1100 Subject: [PATCH 4/6] nice recovery --- gcp/workers/recoverer/recoverer.py | 46 +++++++++++++++++++------ gcp/workers/recoverer/recoverer_test.py | 26 ++++++++------ gcp/workers/worker/worker.py | 9 +++-- gcp/workers/worker/worker_test.py | 35 +++++++++++++++++++ 4 files changed, 93 insertions(+), 23 deletions(-) diff --git a/gcp/workers/recoverer/recoverer.py b/gcp/workers/recoverer/recoverer.py index 36bba14454c..3ceee794f5d 100644 --- a/gcp/workers/recoverer/recoverer.py +++ b/gcp/workers/recoverer/recoverer.py @@ -19,14 +19,18 @@ import logging import os import sys +import time from google.cloud import ndb from google.cloud import pubsub_v1 import osv +import osv.models +import osv.sources from osv.logs import setup_gcp_logging _FAILED_TASKS_SUBSCRIPTION = 'recovery' +_TASKS_TOPIC = 'tasks' _ndb_client = None @@ -54,6 +58,7 @@ def handle_gcs_retry(message: pubsub_v1.types.PubsubMessage) -> bool: } }) return True + logging.info('gcs_retry: vulnerability: %s', vuln.id) modified = vuln.modified.ToDatetime(datetime.UTC) bucket = osv.gcs.get_osv_bucket() path = os.path.join(osv.gcs.VULN_PB_PATH, vuln.id + '.pb') @@ -80,24 +85,42 @@ def handle_gcs_retry(message: pubsub_v1.types.PubsubMessage) -> bool: def handle_gcs_missing(message: pubsub_v1.types.PubsubMessage) -> bool: """Handle a failed GCS read.""" vuln_id = message.attributes.get('id') + logging.info('gcs_missing: vulnerability: %s', vuln_id) if not vuln_id: logging.error('gcs_missing: message missing id attribute: %s', message) return True - # Re-put the Bug to regenerate the GCS & Datastore entities + with ndb_client().context(): - bug = osv.Bug.get_by_id(vuln_id) - if not bug: - logging.error('gcs_missing: Bug entity not found for %s', vuln_id) - # TODO(michaelkedar): What can we do in this case? + vuln = osv.Vulnerability.get_by_id(vuln_id) + if not vuln: + logging.error('gcs_missing: Vulnerability entity not found for %s', + vuln_id) return True + try: - bug.put() + source, path = osv.sources.parse_source_id(vuln.source_id) + except ValueError: + logging.error('gcs_missing: invalid source_id for %s: %s', vuln_id, + vuln.source_id) return True - except Exception: - logging.exception('gcs_missing: failed to put Bug entity for %s', vuln_id) - return False - # TODO(michaelkedar): We will want to stop using the Bug entity eventually. - # This will need to trigger a reimport of the record from the datasource. + + logging.info('gcs_missing: triggering re-import for %s (%s)', vuln_id, + vuln.source_id) + publisher = pubsub_v1.PublisherClient() + project = os.environ['GOOGLE_CLOUD_PROJECT'] + topic_path = publisher.topic_path(project, _TASKS_TOPIC) + publisher.publish( + topic_path, + data=b'', + type='update', + source=source, + path=path, + original_sha256='', + deleted='false', + skip_hash_check='true', + req_timestamp=str(int(time.time()))) + + return True def handle_gcs_gen_mismatch(message: pubsub_v1.types.PubsubMessage) -> bool: @@ -106,6 +129,7 @@ def handle_gcs_gen_mismatch(message: pubsub_v1.types.PubsubMessage) -> bool: """ vuln_id = message.attributes.get('id') field = message.attributes.get('field') + logging.info('gcs_gen_mismatch: vulnerability: %s, field: %s', vuln_id, field) if not vuln_id or not field: logging.error('gcs_gen_mismatch: message missing id or field attribute: %s', message) diff --git a/gcp/workers/recoverer/recoverer_test.py b/gcp/workers/recoverer/recoverer_test.py index c0c5d5cfa07..fb392bd0dd9 100644 --- a/gcp/workers/recoverer/recoverer_test.py +++ b/gcp/workers/recoverer/recoverer_test.py @@ -15,6 +15,7 @@ import datetime import os import unittest +import unittest.mock from google.cloud import ndb from google.cloud import pubsub_v1 @@ -53,6 +54,11 @@ def setUp(self): import_last_modified=datetime.datetime( 2025, 1, 1, tzinfo=datetime.UTC), ).put() + osv.Vulnerability( + id='TEST-123', + source_id='test:TEST-123.yaml', + modified=datetime.datetime(2025, 1, 1, tzinfo=datetime.UTC), + ).put() return super().setUp() def test_handle_gcs_retry(self): @@ -100,19 +106,19 @@ def test_handle_gcs_retry_invalid_data(self): self.assertEqual(1, len(cm.output)) self.assertIn('failed to decode protobuf', cm.output[0]) - def test_handle_gcs_missing(self): + @unittest.mock.patch('google.cloud.pubsub_v1.PublisherClient') + def test_handle_gcs_missing(self, mock_publisher): """Test standard handle_gcs_missing""" - # Going to pretend this is missing, we'll check the contents don't change. - original_result = osv.gcs.get_by_id_with_generation('TEST-123') - self.assertIsNotNone(original_result) - original_data, original_generation = original_result message = pubsub_v1.types.PubsubMessage(attributes={'id': 'TEST-123'}) self.assertTrue(recoverer.handle_gcs_missing(message)) - new_result = osv.gcs.get_by_id_with_generation('TEST-123') - self.assertIsNotNone(new_result) - new_data, new_generation = new_result - self.assertEqual(original_data, new_data) - self.assertNotEqual(original_generation, new_generation) + + # Check that the update message was published + mock_publisher.return_value.publish.assert_called_once() + call_args = mock_publisher.return_value.publish.call_args + self.assertEqual(call_args.kwargs['type'], 'update') + self.assertEqual(call_args.kwargs['source'], 'test') + self.assertEqual(call_args.kwargs['path'], 'TEST-123.yaml') + self.assertEqual(call_args.kwargs['skip_hash_check'], 'true') def test_handle_gcs_gen_mismatch_aliases(self): """Test handle_gcs_gen_mismatch for aliases.""" diff --git a/gcp/workers/worker/worker.py b/gcp/workers/worker/worker.py index 281c892806e..b29377bfc42 100644 --- a/gcp/workers/worker/worker.py +++ b/gcp/workers/worker/worker.py @@ -324,6 +324,7 @@ def _source_update(self, message): path = message.attributes['path'] original_sha256 = message.attributes['original_sha256'] deleted = message.attributes['deleted'] == 'true' + skip_hash_check = message.attributes.get('skip_hash_check') == 'true' source_repo = osv.get_source_repository(source) if source_repo is None: @@ -339,7 +340,7 @@ def _source_update(self, message): vuln_path = os.path.join(osv.repo_path(repo), path) if not os.path.exists(vuln_path): logging.info('%s was deleted.', vuln_path) - if deleted: + if deleted or skip_hash_check: self._handle_deleted(path) return @@ -366,6 +367,8 @@ def _source_update(self, message): blob = bucket.blob(path).download_as_bytes(retry=retry.DEFAULT_RETRY) except google.cloud.exceptions.NotFound: logging.exception('Bucket path %s does not exist.', path) + if skip_hash_check: + self._handle_deleted(path) return current_sha256 = osv.sha256_bytes(blob) @@ -387,6 +390,8 @@ def _source_update(self, message): request = requests.get(source_repo.link + path, timeout=_TIMEOUT_SECONDS) if request.status_code != 200: logging.error('Failed to fetch REST API: %s', request.status_code) + if request.status_code == 404 and skip_hash_check: + self._handle_deleted(path) return vuln = request.json() try: @@ -399,7 +404,7 @@ def _source_update(self, message): else: raise RuntimeError('Unsupported SourceRepository type.') - if current_sha256 != original_sha256: + if not skip_hash_check and current_sha256 != original_sha256: logging.warning( 'sha256sum of %s no longer matches (expected=%s vs current=%s).', path, original_sha256, current_sha256) diff --git a/gcp/workers/worker/worker_test.py b/gcp/workers/worker/worker_test.py index aca44b6791a..15997c87142 100644 --- a/gcp/workers/worker/worker_test.py +++ b/gcp/workers/worker/worker_test.py @@ -912,6 +912,41 @@ def test_ubuntu_severity(self): 'ubuntu_severity_type', MessageToDict(osv.gcs.get_by_id('UBUNTU-CVE-2025-38094'))) + def test_update_skip_hash_check(self): + """Test update with skip_hash_check=true.""" + task_runner = worker.TaskRunner(ndb_client, None, self.tmp_dir.name, None, + None) + # Case 1: File exists, hash mismatch but skipped + message = mock.Mock() + message.attributes = { + 'source': 'source', + 'path': 'OSV-123.yaml', + 'original_sha256': 'mismatch', + 'deleted': 'false', + 'skip_hash_check': 'true', + } + + # Should not log warning about hash mismatch + with self.assertLogs(level='INFO'): # capture info to ensure no warning + task_runner._source_update(message) + + # Verify it updated (we can check GCS or just that it didn't return early) + self.expect_dict_equal('update', + MessageToDict(osv.gcs.get_by_id('OSV-123'))) + + # Case 2: File missing, skip_hash_check=true -> should delete + self.mock_repo.delete_file('OSV-123.yaml') + self.mock_repo.commit('User', 'user@email') + + message.attributes['original_sha256'] = '' # irrelevant + + task_runner._source_update(message) + + vuln = osv.Vulnerability.get_by_id('OSV-123') + self.assertTrue(vuln.is_withdrawn) + vuln_pb = osv.gcs.get_by_id('OSV-123') + self.assertTrue(vuln_pb.HasField('withdrawn')) + def setUpModule(): """Set up the test module.""" From 185bfe3c573eafde345dd533bdcad22f154c10d7 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Fri, 23 Jan 2026 15:16:03 +1100 Subject: [PATCH 5/6] Update gcp/workers/worker/worker.py Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- gcp/workers/worker/worker.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gcp/workers/worker/worker.py b/gcp/workers/worker/worker.py index b29377bfc42..d6f94b15576 100644 --- a/gcp/workers/worker/worker.py +++ b/gcp/workers/worker/worker.py @@ -456,7 +456,7 @@ def xact(): logging.info('Marking %s as withdrawn.', vuln_id) if not vuln_and_gen: - logging.error('Failed to find Vulnerability with ID %s', vuln_id) + logging.error('Failed to find Vulnerability with ID %s in GCS', vuln_id) # contruct an empty withdrawn vuln proto_vuln = vulnerability_pb2.Vulnerability(id=vuln_id) else: From 689559d10a706a14ccc77614837bb01644fa8e22 Mon Sep 17 00:00:00 2001 From: Michael Kedar Date: Tue, 27 Jan 2026 13:03:11 +1100 Subject: [PATCH 6/6] minor review --- gcp/workers/worker/worker.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gcp/workers/worker/worker.py b/gcp/workers/worker/worker.py index d6f94b15576..a47cfdd09a8 100644 --- a/gcp/workers/worker/worker.py +++ b/gcp/workers/worker/worker.py @@ -472,7 +472,6 @@ def xact(): ds_vuln.is_withdrawn = True ds_vuln.modified = proto_vuln.modified.ToDatetime(datetime.UTC) osv.models.put_entities(ds_vuln, proto_vuln) - osv.update_affected_commits(vuln_id, [], False) try: ndb.transaction(xact) @@ -527,6 +526,7 @@ def _analyze_vulnerability(self, source_repo: osv.SourceRepository, return result # NB: Only OSS-Fuzz is editable - all other sources are read-only. # This should not be reachable by this worker. + logging.error('Source %s flagged as editable', source_repo.name) output_path = os.path.join(osv.repo_path(repo), path) if self._push_new_ranges_and_versions(source_repo, repo, vulnerability, output_path, original_sha256):