search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.49k stars 186 forks source link

Commit analysis crashes on orphaned commits #2646

Open andrewpollock opened 6 days ago

andrewpollock commented 6 days ago

https://github.com/google/osv.dev/blob/v2024.09.18/osv/impact.py

Traceback (most recent call last):
  File "/usr/local/bin/worker.py", line 578, in _do_process_task
    self._source_update(message)
  File "/usr/local/bin/worker.py", line 410, in _source_update
    self._do_update(source_repo, repo, vulnerability, path, original_sha256)
  File "/usr/local/bin/worker.py", line 498, in _do_update
    result = self._analyze_vulnerability(source_repo, repo, vulnerability,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/bin/worker.py", line 463, in _analyze_vulnerability
    result = osv.analyze(
             ^^^^^^^^^^^^
  File "/env/osv/impact.py", line 672, in analyze
    _analyze_git_ranges(repo_analyzer, checkout_path, affected_range,
  File "/env/osv/impact.py", line 584, in _analyze_git_ranges
    result = repo_analyzer.get_affected(package_repo, all_introduced,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/env/osv/impact.py", line 134, in get_affected
    affected_commits, affected_ranges, tags = self._get_affected_range(
                                              ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/env/osv/impact.py", line 228, in _get_affected_range
    equivalent_last_affected_commit = self._get_equivalent_commit(
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/env/osv/impact.py", line 286, in _get_equivalent_commit
    target_patch_id = repo.diff(target.parents[0], target).patchid
                                ~~~~~~~~~~~~~~^^^
IndexError: list index out of range

Example:

https://cve-osv-conversion.storage.googleapis.com/osv-output/CVE-2023-43879.json:

{
  "id": "CVE-2023-43879",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
    }
  ],
  "details": "Rite CMS 3.0 has a Cross-Site scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload into the Global Content Blocks in the Administration Menu.",
  "affected": [
    {
      "ranges": [
        {
          "type": "GIT",
          "repo": "https://github.com/handylulu/ritecms",
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "08b728627d6d6c78a6b0061aa80d0bdca374933f"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/sromanhu/RiteCMS-Stored-XSS---GlobalContent/tree/main"
    }
  ],
  "modified": "2024-09-23T19:35:12Z",
  "published": "2023-09-28T15:15:12Z"
}

Note the lack of any parent commit here:

$ git cat-file -p 08b728627d6d6c78a6b0061aa80d0bdca374933f
tree a401d0d54ba50b31c88ae8def799a16b3ec00433
author Lucas Zhuang <lucas@ritecms.com> 1615006291 -0500
committer Lucas Zhuang <lucas@ritecms.com> 1615006291 -0500

RiteCMS 3.0.0