search

CloudSecurityAlliance / gsd-tools

Global Security Database Tools
https://gsd.id
Apache License 2.0
41 stars 20 forks source link

Fix GSD Bot creating multiple affected packages instead of using multiple ranges #180

Closed joshbuker closed 1 year ago

joshbuker commented 1 year ago

I just realized the code I wrote duplicates the package, when it could just append the SEMVER as a second range...

See: https://github.com/cloudsecurityalliance/gsd-database/blob/2dc70098c7265705d44622c81fab8fdf3eb57933/2023/1002xxx/GSD-2023-1002423.json

"affected": [
  {
    "package": {
      "name": "Kernel",
      "ecosystem": "Linux"
    },
    "ranges": [
      {
        "type": "GIT",
        "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/",
        "events": [
          {
            "introduced": "0"
          },
          {
            "limit": "ebc5e61b60e67cbc14cc54159d567456f7ec5fd8"
          }
        ]
      }
    ]
  },
  {
    "package": {
      "name": "Kernel",
      "ecosystem": "Linux"
    },
    "ranges": [
      {
        "type": "SEMVER",
        "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/",
        "events": [
          {
            "introduced": "0"
          },
          {
            "fixed": "6.2.5"
          }
        ]
      }
    ]
  }
]

Should be:

"affected": [
  {
    "package": {
      "name": "Kernel",
      "ecosystem": "Linux"
    },
    "ranges": [
      {
        "type": "GIT",
        "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/",
        "events": [
          {
            "introduced": "0"
          },
          {
            "limit": "ebc5e61b60e67cbc14cc54159d567456f7ec5fd8"
          }
        ]
      },
      {
        "type": "SEMVER",
        "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/",
        "events": [
          {
            "introduced": "0"
          },
          {
            "fixed": "6.2.5"
          }
        ]
      }
    ]
  }
]

Offending code: https://github.com/cloudsecurityalliance/gsd-tools/blob/main/gsd-bot/GSD/GSDRepo.py#L269

Should probably look more like:

# Append SEMVER to ranges
c["affected"][0]["ranges"].append({
    "type": "SEMVER",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/",
    "events": [{"introduced": issue_data["introduced_version"]}, {"fixed": issue_data["fixed_version"]}]
})

Except either check to make sure we're not duplicating, or use [1] = instead of .append() assuming python allows that.