AppThreat / vulnerability-db

Vulnerability database and package search for sources such as Linux, OSV, NVD, GitHub and npm. Powered by sqlite, CVE 5.0, purl, and vers.
MIT License
92 stars 22 forks source link

[v6] Test OSV data to vers conversion #105

Closed prabhu closed 6 months ago

prabhu commented 6 months ago

Once the CVE schema branch is merged, we need to test the vers conversion logic against the OSV data to reduce any precision loss in transformation.

https://github.com/AppThreat/vulnerability-db/tree/feature/store5

Test scenarios

cerrussell commented 6 months ago

Queries to test each condition:

  1. SELECT COUNT(*) FROM main.cve_data WHERE type == 'maven' and namespace IS NULL
  2. SELECT COUNT(*) FROM main.cve_data WHERE (type == 'nuget' OR type == 'golang') and namespace IS NOT NULL
  3. No test is needed as NULL is allowed as a value...?
  4. SELECT COUNT(*) FROM main.cve_data WHERE name LIKE 'github.com%' AND type != 'go'
  5. SELECT COUNT(*) FROM main.cve_data WHERE namespace LIKE 'github.com%' AND type != 'swift' AND type != 'generic'
  6. SELECT COUNT(*) FROM main.cve_data WHERE type LIKE '%[A-Z]%' OR namespace LIKE '%[A-Z]%' OR name LIKE '%[A-Z]%' or source_data LIKE '%[A-Z]%'

In order to pass the test, we would want zero records to be returned for all of these. Unfortunately, that was not the case for any of them.

prabhu commented 6 months ago

@cerrussell are you building the database with --cache --only-osv?

cerrussell commented 6 months ago

@prabhu I built with --cache. If I do --cache-os, it takes an hour to build.

prabhu commented 6 months ago

This is good. Will take a look at the issues tomorrow and get them to pass at least for osv.

cerrussell commented 6 months ago

@prabhu I will try osv only...

prabhu commented 6 months ago

@prabhu I will try osv only...

Please use the latest master

prabhu commented 6 months ago

@cerrussell 4 is fine since it has a typo. Must be != 'golang'

prabhu commented 6 months ago

6 is also fine since the source_data json has some camel cases and upper cases which cannot be changed.