Impact analysis - Multiple ranges not handled for GIT range

[RomainLefeuvre]

Describe the bug Multiple ranges on the same branch are not handled for GIT type.

I created a toy example based on the "multiple range example" : https://ossf.github.io/osv-schema/#multiple-range-example. In order to avoid recreating a toy repository we will reuse the one that we created for the previous issue : https://github.com/RomainLefeuvre/osv_issue_minimal_example with the following git history :

And this range of events :

"events": [
              {
                "introduced": "d241812d2722d573a7b096d44d139946d8dcb484"  [X]
              },         
              {
                "fixed": "ec5e313170f68d3fc575d107a8b92d43ae140249"        [B]
              },
              {
                "introduced": "868d891cffe96cd67b2abac82c62ade7219af9b5"   [C]
              },         
              {
                "fixed": "80f15009d903ac95ffc5a5a07a3a213e4980bb62"      [Y]
              }
            ]
          }

https://github.com/google/osv.dev/commit/b22dc07d42b3117269aa6126238ffba086a2c255

To Reproduce Steps to reproduce the behaviour:

1. clone https://github.com/RomainLefeuvre/osv.dev
2. setup your python virtualenv as described in the osv documentation
3. from the root level of the repo, execute python -m osv.analyze_tool --detect_cherrypicks true --format json "./osv/osv_bug/vuln_2.json"

Result

❯ python -m  osv.analyze_tool --format json --detect_cherrypicks true "./osv/osv_bug/vuln_2.json"
AnalyzeResult(has_changes=False, commits={'d241812d2722d573a7b096d44d139946d8dcb484', 'e54222cfdedd86a37dc37d999ebc63dccf3fc9da'})

The following commits are detected

• d241812d2722d573a7b096d44d139946d8dcb484 (X)
• e54222cfdedd86a37dc37d999ebc63dccf3fc9da (A)

Expected behaviour C and D should also be reported as vulnerable

[another-rex]

Thanks for the clear bug report!

[github-actions[bot]]

This issue has not had any activity for 60 days and will be automatically closed in two weeks