search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.54k stars 188 forks source link

Impact analysis - Multiple ranges not handled for GIT range #1938

Open RomainLefeuvre opened 9 months ago

RomainLefeuvre commented 9 months ago

Describe the bug Multiple ranges on the same branch are not handled for GIT type.

I created a toy example based on the "multiple range example" : https://ossf.github.io/osv-schema/#multiple-range-example. In order to avoid recreating a toy repository we will reuse the one that we created for the previous issue : https://github.com/RomainLefeuvre/osv_issue_minimal_example with the following git history : image

And this range of events :

"events": [
              {
                "introduced": "d241812d2722d573a7b096d44d139946d8dcb484"  [X]
              },         
              {
                "fixed": "ec5e313170f68d3fc575d107a8b92d43ae140249"        [B]
              },
              {
                "introduced": "868d891cffe96cd67b2abac82c62ade7219af9b5"   [C]
              },         
              {
                "fixed": "80f15009d903ac95ffc5a5a07a3a213e4980bb62"      [Y]
              }
            ]
          }

https://github.com/google/osv.dev/commit/b22dc07d42b3117269aa6126238ffba086a2c255

To Reproduce Steps to reproduce the behaviour:

  1. clone https://github.com/RomainLefeuvre/osv.dev
  2. setup your python virtualenv as described in the osv documentation
  3. from the root level of the repo, execute python -m osv.analyze_tool --detect_cherrypicks true --format json "./osv/osv_bug/vuln_2.json"

Result

❯ python -m  osv.analyze_tool --format json --detect_cherrypicks true "./osv/osv_bug/vuln_2.json"
AnalyzeResult(has_changes=False, commits={'d241812d2722d573a7b096d44d139946d8dcb484', 'e54222cfdedd86a37dc37d999ebc63dccf3fc9da'})

The following commits are detected

Expected behaviour C and D should also be reported as vulnerable

another-rex commented 9 months ago

Thanks for the clear bug report!

github-actions[bot] commented 3 months ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] commented 1 month ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.