Update OSV affected_version_range to prioritize explicit versions, then last_known_affected_version_range, and finally range-based versions

Signed-off-by: ziad hany <[email protected]>

Author: ziadhany

vulnerabilities/importers/osv_v2.py

@@ -147,17 +147,33 @@ def parse_advisory_data_v3(
             except Exception as e:
                 logger.error(f"Failed to build VersionRange for {advisory_id}: {e}")
 
+        explicit_affected_range = get_explicit_affected_range(
+            affected_pkg=affected_pkg,
+            raw_id=advisory_id,
+            supported_ecosystem=purl.type,
+        )
+
+        explicit_last_known = get_last_known_affected_range(
+            affected_pkg=affected_pkg,
+            raw_id=advisory_id,
+            supported_ecosystem=purl.type,
+        )
+
+        final_affected_range = (
+            explicit_affected_range or explicit_last_known or affected_version_range
+        )
+
         if (
             fixed_version_range
-            or affected_version_range
+            or final_affected_range
             or fixed_by_commit_patches
             or introduced_by_commit_patches
         ):
             try:
                 affected_packages.append(
                     AffectedPackageV2(
                         package=purl,
-                        affected_version_range=affected_version_range,
+                        affected_version_range=final_affected_range,
                         fixed_version_range=fixed_version_range,
                         fixed_by_commit_patches=fixed_by_commit_patches,
                         introduced_by_commit_patches=introduced_by_commit_patches,
@@ -166,32 +182,6 @@ def parse_advisory_data_v3(
             except Exception as e:
                 logger.error(f"Invalid AffectedPackageV2 {e} for {advisory_id}")
 
-        explicit_affected_range = get_explicit_affected_range(
-            affected_pkg=affected_pkg,
-            raw_id=advisory_id,
-            supported_ecosystem=purl.type,
-        )
-        if explicit_affected_range:
-            affected_packages.append(
-                AffectedPackageV2(
-                    package=purl,
-                    affected_version_range=explicit_affected_range,
-                )
-            )
-
-        explicit_last_known_affected_range = get_last_known_affected_range(
-            affected_pkg=affected_pkg,
-            raw_id=advisory_id,
-            supported_ecosystem=purl.type,
-        )
-        if explicit_last_known_affected_range:
-            affected_packages.append(
-                AffectedPackageV2(
-                    package=purl,
-                    affected_version_range=explicit_last_known_affected_range,
-                )
-            )
-
     database_specific = raw_data.get("database_specific") or {}
     cwe_ids = database_specific.get("cwe_ids") or []
     weaknesses = list(map(get_cwe_id, cwe_ids))

vulnerabilities/tests/test_data/osv_test/github/github-expected-1.json

@@ -3,7 +3,7 @@
   "aliases": [
     "CVE-2023-49921"
   ],
-  "summary": "Elasticsearch Insertion of Sensitive Information into Log File\nAn issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.",
+  "summary": "Elasticsearch Insertion of Sensitive Information into Log File\nAn issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input\u2019s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.",
   "affected_packages": [
     {
       "package": {

vulnerabilities/tests/test_data/osv_test/github/github-expected-2.json

@@ -5,20 +5,6 @@
   ],
   "summary": "OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter\n### Summary\nAn authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the `display` parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.\n\n### Details\nThe vulnerability is located in the `retrieve()` method within `src/API/Manager.php`.\n\nUser input from the `display` GET parameter is processed without proper validation. The code strips the surrounding brackets `[]`, splits the string by commas, and then passes each resulting element directly into the `selectRaw()` function of the query builder.\n\n```php\n// User input from 'display' is taken without sanitization.\n$select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null;\n\n// ...\n\n// The unsanitized input is passed directly to `selectRaw()`.\nforeach ($select as $s) {\n    $query->selectRaw($s);\n}\n```\n\nSince `selectRaw()` is designed to execute raw SQL expressions, it executes any malicious SQL code provided in the `display` parameter.\n\n### PoC\n1.  Log in to an OpenSTAManager instance as any user.\n2.  Navigate to the user's profile page to obtain their personal API Token.\n3.  Use this API token to send a specially crafted GET request to the API endpoint.\n\n**Time-Based Blind Injection Test:**\n\nReplace `<your_host>`, `<your_token>`, and `<resource_name>` with your actual values. `anagrafiche` is a valid resource.\n\n```bash\ncurl \"http://<your_host>/openstamanager/api?token=<your_token>&resource=anagrafiche&display=[1,SLEEP(5)]\"\n```\n\nThe server will delay its response by approximately 5 seconds, confirming the `SLEEP(5)` command was executed by the database.\n\n### Impact\nThis is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:\n\n*   **Exfiltrate all data** from the database (e.g., user credentials, customer information, invoices, internal data).\n*   **Modify or delete data**, compromising data integrity.\n*   Potentially achieve further system compromise, depending on the database user's privileges and system configuration.",
   "affected_packages": [
-    {
-      "package": {
-        "type": "composer",
-        "namespace": "devcode-it",
-        "name": "openstamanager",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
-      },
-      "affected_version_range": "vers:composer/<2.9.5",
-      "fixed_version_range": "vers:composer/2.9.5",
-      "introduced_by_commit_patches": [],
-      "fixed_by_commit_patches": []
-    },
     {
       "package": {
         "type": "composer",
@@ -29,7 +15,7 @@
         "subpath": ""
       },
       "affected_version_range": "vers:composer/<=2.9.4",
-      "fixed_version_range": null,
+      "fixed_version_range": "vers:composer/2.9.5",
       "introduced_by_commit_patches": [],
       "fixed_by_commit_patches": []
     }

vulnerabilities/tests/test_data/osv_test/github/github-expected-3.json

@@ -3,20 +3,6 @@
   "aliases": [],
   "summary": "Memory exhaustion in http4s-async-http-client with large or malicious compressed responses\n### Impact\nA server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM.  It does not affect http4s servers, other client backends, or clients that speak only to trusted servers.  This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by [CVE-2020-11612](https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897).\n\n### Patches\nUpgrade to http4s-async-http-client >= 0.21.8.  All 1.0 milestones are also safe.\n\n### Workarounds\nAdd an explicit runtime dependency on async-http-client's netty dependencies that evicts them to an unaffected version:\n\n```scala\nlibraryDependencies ++= Seq(\n  \"io.netty\" %  \"netty-codec\"         % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-codec-socks\"   % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-handler-proxy\" % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-common\"        % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-transport\"     % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-handler\"       % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-resolver-dns\"  % \"4.1.53.Final\" % Runtime\n)\n```\n\n### References\n* https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897\n* https://github.com/http4s/http4s/issues/3681\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [http4s](https://github.com/http4s/http4s/issues/new)\n* Contact a maintainer privately per [http4s' security policy](https://github.com/http4s/http4s/blob/master/SECURITY.md#reporting-a-vulnerability)",
   "affected_packages": [
-    {
-      "package": {
-        "type": "maven",
-        "namespace": "org.http4s",
-        "name": "http4s-async-http-client_2.13",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
-      },
-      "affected_version_range": "vers:maven/<0.21.8",
-      "fixed_version_range": "vers:maven/0.21.8",
-      "introduced_by_commit_patches": [],
-      "fixed_by_commit_patches": []
-    },
     {
       "package": {
         "type": "maven",
@@ -27,20 +13,6 @@
         "subpath": ""
       },
       "affected_version_range": "vers:maven/<=0.21.7",
-      "fixed_version_range": null,
-      "introduced_by_commit_patches": [],
-      "fixed_by_commit_patches": []
-    },
-    {
-      "package": {
-        "type": "maven",
-        "namespace": "org.http4s",
-        "name": "http4s-async-http-client_2.12",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
-      },
-      "affected_version_range": "vers:maven/<0.21.8",
       "fixed_version_range": "vers:maven/0.21.8",
       "introduced_by_commit_patches": [],
       "fixed_by_commit_patches": []
@@ -55,7 +27,7 @@
         "subpath": ""
       },
       "affected_version_range": "vers:maven/<=0.21.7",
-      "fixed_version_range": null,
+      "fixed_version_range": "vers:maven/0.21.8",
       "introduced_by_commit_patches": [],
       "fixed_by_commit_patches": []
     }

vulnerabilities/tests/test_data/osv_test/oss-fuzz/oss-fuzz-expected-3.json

@@ -12,7 +12,7 @@
         "qualifiers": "",
         "subpath": ""
       },
-      "affected_version_range": null,
+      "affected_version_range": "vers:generic/4.11.0|5.0.0-alpha",
       "fixed_version_range": null,
       "introduced_by_commit_patches": [
         {
@@ -36,20 +36,6 @@
           "patch_checksum": null
         }
       ]
-    },
-    {
-      "package": {
-        "type": "generic",
-        "namespace": "",
-        "name": "opencv",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
-      },
-      "affected_version_range": "vers:generic/4.11.0|5.0.0-alpha",
-      "fixed_version_range": null,
-      "introduced_by_commit_patches": [],
-      "fixed_by_commit_patches": []
     }
   ],
   "references_v2": [

vulnerabilities/tests/test_data/osv_test/pypa/pypa-expected-2.json

@@ -14,7 +14,7 @@
         "qualifiers": "",
         "subpath": ""
       },
-      "affected_version_range": "vers:pypi/<2.3.0",
+      "affected_version_range": "vers:pypi/0.0.1|0.0.2|0.0.3|0.1.0|0.2.0|0.2.1|0.3.0|0.3.1|0.3.2|0.4.0|0.4.1|0.4.2|0.4.3|0.5.0|0.5.1|0.5.2|0.5.3|0.5.4|0.6.0|0.7.0|1.0.0|1.0.1|1.1.0|1.1.1|1.1.2|1.1.3|1.1.4|1.1.5|1.2.2|1.3.3|1.4.1|1.5.1|1.6.0|1.7.0|2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.0.5|2.1.0|2.2.0a0|2.2.0|2.2.1|2.2.2|2.2.3",
       "fixed_version_range": "vers:pypi/2.3.0",
       "introduced_by_commit_patches": [],
       "fixed_by_commit_patches": [
@@ -25,20 +25,6 @@
           "patch_checksum": null
         }
       ]
-    },
-    {
-      "package": {
-        "type": "pypi",
-        "namespace": "",
-        "name": "djoser",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
-      },
-      "affected_version_range": "vers:pypi/0.0.1|0.0.2|0.0.3|0.1.0|0.2.0|0.2.1|0.3.0|0.3.1|0.3.2|0.4.0|0.4.1|0.4.2|0.4.3|0.5.0|0.5.1|0.5.2|0.5.3|0.5.4|0.6.0|0.7.0|1.0.0|1.0.1|1.1.0|1.1.1|1.1.2|1.1.3|1.1.4|1.1.5|1.2.2|1.3.3|1.4.1|1.5.1|1.6.0|1.7.0|2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.0.5|2.1.0|2.2.0a0|2.2.0|2.2.1|2.2.2|2.2.3",
-      "fixed_version_range": null,
-      "introduced_by_commit_patches": [],
-      "fixed_by_commit_patches": []
     }
   ],
   "references_v2": [

vulnerabilities/tests/test_data/osv_test/pypa/pypa-expected-3.json

@@ -15,7 +15,7 @@
         "qualifiers": "",
         "subpath": ""
       },
-      "affected_version_range": "vers:pypi/<3.9.2",
+      "affected_version_range": "vers:pypi/0.1|0.2|0.3|0.4|0.4.1|0.4.2|0.4.3|0.4.4|0.5.0|0.6.0|0.6.1|0.6.2|0.6.3|0.6.4|0.6.5|0.7.0|0.7.1|0.7.2|0.7.3|0.8.0|0.8.1|0.8.2|0.8.3|0.8.4|0.9.0|0.9.1|0.9.2|0.9.3|0.10.0|0.10.1|0.10.2|0.11.0|0.12.0|0.13.0|0.13.1|0.14.0|0.14.1|0.14.2|0.14.3|0.14.4|0.15.0|0.15.1|0.15.2|0.15.3|0.16.0|0.16.1|0.16.2|0.16.3|0.16.4|0.16.5|0.16.6|0.17.0|0.17.1|0.17.2|0.17.3|0.17.4|0.18.0|0.18.1|0.18.2|0.18.3|0.18.4|0.19.0|0.20.0|0.20.1|0.20.2|0.21.0|0.21.1|0.21.2|0.21.4|0.21.5|0.21.6|0.22.0a0|0.22.0b0|0.22.0b1|0.22.0b2|0.22.0b3|0.22.0b4|0.22.0b5|0.22.0b6|0.22.0|0.22.1|0.22.2|0.22.3|0.22.4|0.22.5|1.0.0|1.0.1|1.0.2|1.0.3|1.0.5|1.1.0|1.1.1|1.1.2|1.1.3|1.1.4|1.1.5|1.1.6|1.2.0|1.3.0|1.3.1|1.3.2|1.3.3|1.3.4|1.3.5|2.0.0rc1|2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.0.5|2.0.6|2.0.7|2.1.0|2.2.0|2.2.1|2.2.2|2.2.3|2.2.4|2.2.5|2.3.0a1|2.3.0a2|2.3.0a3|2.3.0a4|2.3.0|2.3.1a1|2.3.1|2.3.2b2|2.3.2b3|2.3.2|2.3.3|2.3.4|2.3.5|2.3.6|2.3.7|2.3.8|2.3.9|2.3.10|3.0.0b0|3.0.0b1|3.0.0b2|3.0.0b3|3.0.0b4|3.0.0|3.0.1|3.0.2|3.0.3|3.0.4|3.0.5|3.0.6|3.0.7|3.0.8|3.0.9|3.1.0|3.1.1|3.1.2|3.1.3|3.2.0|3.2.1|3.3.0a0|3.3.0|3.3.1|3.3.2a0|3.3.2|3.4.0a0|3.4.0a3|3.4.0b1|3.4.0b2|3.4.0|3.4.1|3.4.2|3.4.3|3.4.4|3.5.0a1|3.5.0b1|3.5.0b2|3.5.0b3|3.5.0|3.5.1|3.5.2|3.5.3|3.5.4|3.6.0a0|3.6.0a1|3.6.0a2|3.6.0a3|3.6.0a4|3.6.0a5|3.6.0a6|3.6.0a7|3.6.0a8|3.6.0a9|3.6.0a11|3.6.0a12|3.6.0b0|3.6.0|3.6.1b3|3.6.1b4|3.6.1|3.6.2a0|3.6.2a1|3.6.2a2|3.6.2|3.6.3|3.7.0b0|3.7.0b1|3.7.0|3.7.1|3.7.2|3.7.3|3.7.4|3.7.4.post0|3.8.0a7|3.8.0b0|3.8.0|3.8.1|3.8.2|3.8.3|3.8.4|3.8.5|3.8.6|3.9.0b0|3.9.0b1|3.9.0rc0|3.9.0|3.9.1",
       "fixed_version_range": "vers:pypi/3.9.2",
       "introduced_by_commit_patches": [],
       "fixed_by_commit_patches": [
@@ -26,20 +26,6 @@
           "patch_checksum": null
         }
       ]
-    },
-    {
-      "package": {
-        "type": "pypi",
-        "namespace": "",
-        "name": "aiohttp",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
-      },
-      "affected_version_range": "vers:pypi/0.1|0.2|0.3|0.4|0.4.1|0.4.2|0.4.3|0.4.4|0.5.0|0.6.0|0.6.1|0.6.2|0.6.3|0.6.4|0.6.5|0.7.0|0.7.1|0.7.2|0.7.3|0.8.0|0.8.1|0.8.2|0.8.3|0.8.4|0.9.0|0.9.1|0.9.2|0.9.3|0.10.0|0.10.1|0.10.2|0.11.0|0.12.0|0.13.0|0.13.1|0.14.0|0.14.1|0.14.2|0.14.3|0.14.4|0.15.0|0.15.1|0.15.2|0.15.3|0.16.0|0.16.1|0.16.2|0.16.3|0.16.4|0.16.5|0.16.6|0.17.0|0.17.1|0.17.2|0.17.3|0.17.4|0.18.0|0.18.1|0.18.2|0.18.3|0.18.4|0.19.0|0.20.0|0.20.1|0.20.2|0.21.0|0.21.1|0.21.2|0.21.4|0.21.5|0.21.6|0.22.0a0|0.22.0b0|0.22.0b1|0.22.0b2|0.22.0b3|0.22.0b4|0.22.0b5|0.22.0b6|0.22.0|0.22.1|0.22.2|0.22.3|0.22.4|0.22.5|1.0.0|1.0.1|1.0.2|1.0.3|1.0.5|1.1.0|1.1.1|1.1.2|1.1.3|1.1.4|1.1.5|1.1.6|1.2.0|1.3.0|1.3.1|1.3.2|1.3.3|1.3.4|1.3.5|2.0.0rc1|2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.0.5|2.0.6|2.0.7|2.1.0|2.2.0|2.2.1|2.2.2|2.2.3|2.2.4|2.2.5|2.3.0a1|2.3.0a2|2.3.0a3|2.3.0a4|2.3.0|2.3.1a1|2.3.1|2.3.2b2|2.3.2b3|2.3.2|2.3.3|2.3.4|2.3.5|2.3.6|2.3.7|2.3.8|2.3.9|2.3.10|3.0.0b0|3.0.0b1|3.0.0b2|3.0.0b3|3.0.0b4|3.0.0|3.0.1|3.0.2|3.0.3|3.0.4|3.0.5|3.0.6|3.0.7|3.0.8|3.0.9|3.1.0|3.1.1|3.1.2|3.1.3|3.2.0|3.2.1|3.3.0a0|3.3.0|3.3.1|3.3.2a0|3.3.2|3.4.0a0|3.4.0a3|3.4.0b1|3.4.0b2|3.4.0|3.4.1|3.4.2|3.4.3|3.4.4|3.5.0a1|3.5.0b1|3.5.0b2|3.5.0b3|3.5.0|3.5.1|3.5.2|3.5.3|3.5.4|3.6.0a0|3.6.0a1|3.6.0a2|3.6.0a3|3.6.0a4|3.6.0a5|3.6.0a6|3.6.0a7|3.6.0a8|3.6.0a9|3.6.0a11|3.6.0a12|3.6.0b0|3.6.0|3.6.1b3|3.6.1b4|3.6.1|3.6.2a0|3.6.2a1|3.6.2a2|3.6.2|3.6.3|3.7.0b0|3.7.0b1|3.7.0|3.7.1|3.7.2|3.7.3|3.7.4|3.7.4.post0|3.8.0a7|3.8.0b0|3.8.0|3.8.1|3.8.2|3.8.3|3.8.4|3.8.5|3.8.6|3.9.0b0|3.9.0b1|3.9.0rc0|3.9.0|3.9.1",
-      "fixed_version_range": null,
-      "introduced_by_commit_patches": [],
-      "fixed_by_commit_patches": []
     }
   ],
   "references_v2": [

vulnerabilities/tests/test_data/osv_test/pypa/pypa-expected-4.json

@@ -6,20 +6,6 @@
   ],
   "summary": "A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.",
   "affected_packages": [
-    {
-      "package": {
-        "type": "pypi",
-        "namespace": "",
-        "name": "ansible-runner",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
-      },
-      "affected_version_range": "vers:pypi/>=2.0.0|<2.1.0",
-      "fixed_version_range": "vers:pypi/2.1.0",
-      "introduced_by_commit_patches": [],
-      "fixed_by_commit_patches": []
-    },
     {
       "package": {
         "type": "pypi",
@@ -30,7 +16,7 @@
         "subpath": ""
       },
       "affected_version_range": "vers:pypi/2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.1.0.0a1|2.1.0.0a2|2.1.0.0b1",
-      "fixed_version_range": null,
+      "fixed_version_range": "vers:pypi/2.1.0",
       "introduced_by_commit_patches": [],
       "fixed_by_commit_patches": []
     }

vulnerabilities/tests/test_data/osv_test/pypa/pypa-expected-5.json

@@ -15,7 +15,7 @@
         "qualifiers": "",
         "subpath": ""
       },
-      "affected_version_range": null,
+      "affected_version_range": "vers:pypi/1.9a2|1.9a5|1.9a6|2.0|2.0.1|2.1.0|2.2|2.3|2.4|2.4.1|2.5|2.6|2.6.1",
       "fixed_version_range": null,
       "introduced_by_commit_patches": [],
       "fixed_by_commit_patches": [
@@ -26,20 +26,6 @@
           "patch_checksum": null
         }
       ]
-    },
-    {
-      "package": {
-        "type": "pypi",
-        "namespace": "",
-        "name": "pycrypto",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
-      },
-      "affected_version_range": "vers:pypi/1.9a2|1.9a5|1.9a6|2.0|2.0.1|2.1.0|2.2|2.3|2.4|2.4.1|2.5|2.6|2.6.1",
-      "fixed_version_range": null,
-      "introduced_by_commit_patches": [],
-      "fixed_by_commit_patches": []
     }
   ],
   "references_v2": [