Ranges on MAL-2023-8697 not updated to reflect GHSA

ossf / malicious-packages

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

Apache License 2.0

229 stars 19 forks source link

Ranges on MAL-2023-8697 not updated to reflect GHSA #458

Closed oliverchang closed 4 months ago

oliverchang commented 4 months ago

https://github.com/ossf/malicious-packages/blob/cb2451689cd5b89457d1e135c8bfe538d8252dc0/osv/malicious/npm/%40ledgerhq/connect-kit/MAL-2023-8697.json#L9 doesn't seem to have updated to reflect the new ranges on https://github.com/advisories/GHSA-g9hp-hq3h-h6hx, which now constrains the range to >= 1.1.5, <= 1.1.7.

It seems like either (or both):

The GHSA importer doesn't update existing MAL entries when the GHSA entry is updated.
The OSV converter doesn't support last_affected conversions.

calebbrown commented 4 months ago

The second case is definitely true. convert_ghsa.py in ossf/osv-schema doesn't support last_affected.

From tools/ghsa/convert_ghsa.py:

            if ghsa_range.upper:
                if ghsa_range.upper.operator == '<=':
                    if first_patched:
                        current_events.append({'fixed': first_patched})

                    # OSV ranges only allow < and not <=. If there is no patch, then all
                    # versions from beginning of time are affected.

I will create a PR on that repo with a fix.

calebbrown commented 4 months ago

See https://github.com/ossf/osv-schema/pull/239