search

bitnami / vulndb

The Bitnami Vulnerability Database
Apache License 2.0
20 stars 4 forks source link

OSV Schema violation for BIT-prestashop-2023-39527 #475

Closed andrewpollock closed 2 months ago

andrewpollock commented 2 months ago

Title

BIT-prestashop-2023-39527

What steps will reproduce the bug?

$ git clone https://github.com/ossf/osv-schema
$ git clone https://github.com/bitnami/vulndb.git
$ go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest

$ ~/go/bin/jv osv-schema/validation/schema.json vulndb/data/prestashop/BIT-prestashop-2023-39527.json
schema /usr/local/google/home/apollock/gosst/osv/osv-schema/validation/schema.json: ok

instance vulndb/data/prestashop/BIT-prestashop-2023-39527.json: failed
jsonschema validation failed with 'file:///usr/local/google/home/apollock/gosst/osv/osv-schema/validation/schema.json#'
- at '/affected/0/ranges/0': allOf failed
  - at '/affected/0/ranges/0': not failed

What is the expected behavior?

The record passes schema validation

What do you see instead?

The record does not pass schema validation

Additional information

I believe that instead of:

     "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.5"
            },
            {
              "introduced": "8.1.0"
            },
            {
              "last_affected": "8.1.0"
            }
          ]
        }
      ]

it should be:

      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.5"
            }
          ]
        },
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "8.1.0"
            },
            {
              "last_affected": "8.1.0"
            }
          ]
        }
      ]

That is, there should be two distinct range objects in the ranges array so that the events array has only one introduced and fixed or last_affected object per events array.

gongomgra commented 2 months ago

Hi @andrewpollock,

Thanks for pointing this out. We flattened the events array due to issue/180. Can you confirm those changes are no longer needed? I have checked locally that the validation is not working on our side either, but we are missing to detect the error for some reasons. I will work on this.

gongomgra commented 2 months ago

@andrewpollock sorry, I have checked the schema and I have understood what's the issue with the CVEs above: we were mixing fixed and last_affected values in the same range, right?

gongomgra commented 2 months ago

We have updated the Prestashop records in our database to solve this issue. Please check pr/484 for further details.

gongomgra commented 2 months ago

@andrewpollock sorry, I closed both tickets by mistake. Can you confirm the validation success on your end now for the updated files?

andrewpollock commented 2 months ago

I can confirm this now passes validation:

$ ~/go/bin/jv osv-schema/validation/schema.json vulndb/data/prestashop/BIT-prestashop-2023-39527.json
schema osv-schema/validation/schema.json: ok

instance vulndb/data/prestashop/BIT-prestashop-2023-39527.json: ok