[ingestion/data-quality issue] OSV certifier does not check for affectedness correctly #2496
Description
Describe the bug
The OSV certifier seems to fully rely on the output of the OSV API to determine if a component represented by a purl is affected by a vulnerability.
It does not use the affected array present in OSV API responses to check if the requested version is in the versions list.
To Reproduce
Steps to reproduce the behavior:
guacone collect files --add-vuln-on-ingest busybox.bom.json
busybox.bom.json
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:7795645e-a7c9-4628-afa4-7de03f656e7f",
"components": [
{
"type": "library",
"name": "busybox",
"version": "x86_64#1.36.1-r19",
"bom-ref": "pkg:apk/alpine/[email protected]?arch=x86_64&distro=alpine-3.19",
"hashes": [
{
"alg": "SHA-1",
"content": "093ec2d587acd18569b1196e9f59a15c119e685b"
}
],
"purl": "pkg:apk/alpine/[email protected]?arch=x86_64&distro=alpine-3.19"
}
]
}guacone query vuln uri urn:uuid:7795645e-a7c9-4628-afa4-7de03f656e7f- See false positive CVEs
+-------------+-----------+----------------------------------+
| NODE TYPE | NODE ID # | ADDITIONAL INFORMATION |
+-------------+-----------+----------------------------------+
| certifyVuln | 27 | vulnerability ID: cve-2023-42363 |
| certifyVuln | 28 | vulnerability ID: cve-2023-42364 |
| certifyVuln | 29 | vulnerability ID: cve-2023-42365 |
| certifyVuln | 30 | vulnerability ID: cve-2023-42366 |
+-------------+-----------+----------------------------------+
Those vulnerabilities are fixed in version 1.36.1-r19 in Alpine 3.19, see OSV
Example:
GUAC version
Using version v0.13.2, running via[guac-demo-compose.yaml
Ingested document(s)
See reproduction above.
Additional context
Related Issue in OSV: google/osv.dev#3126
(OSV does not respect disto qualifier when querying with purl. Fixing this in OSV should also fix this issue, but checking the affected versions in the certifier could still be a good idea)