Is your feature request related to a problem? Please describe.
There is an opportunity to infer the introduced and fixed versions from a CVE's reference when it contains a URL like https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0
Describe the solution you'd like
Today,
|
func ExtractVersionInfo(cve CVE, validVersions []string) (v VersionInfo, notes []string) { |
|
for _, reference := range cve.References { |
|
// (Potentially faulty) Assumption: All viable Git commit reference links are fix commits. |
|
if commit, err := extractGitCommit(reference.Url, Fixed); err == nil { |
|
v.AffectedCommits = append(v.AffectedCommits, commit) |
|
} |
|
} |
prefers to use any commit references as a fixed commit over extracting versions and then attempting to map those to a commit.
Potentially before
|
if !gotVersions { |
|
var extractNotes []string |
|
v.AffectedVersions, extractNotes = extractVersionsFromDescription(validVersions, EnglishDescription(cve)) |
|
notes = append(notes, extractNotes...) |
|
if len(v.AffectedVersions) > 0 { |
|
log.Printf("[%s] Extracted versions from description = %+v", cve.ID, v.AffectedVersions) |
|
} |
|
} |
this could look for references like
https://github.com/kovidgoyal/kitty/compare/v0.26.1...v0.26.2 and use this as an
introduced..
fixed version range.
Describe alternatives you've considered
I considered last_affected over fixed, but given we already make the other assumption about commit references being fixed, I figured we might as well double down on it here 😃
Additional context
This would help the likes of CVE-2024-21534 convert in an un-analyzed state.
Is your feature request related to a problem? Please describe.
There is an opportunity to infer the
introducedandfixedversions from a CVE's reference when it contains a URL likehttps://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0Describe the solution you'd like
Today,
osv.dev/vulnfeeds/cves/versions.go
Lines 808 to 814 in 068dfb2
prefers to use any commit references as a
fixedcommit over extracting versions and then attempting to map those to a commit.Potentially before
osv.dev/vulnfeeds/cves/versions.go
Lines 902 to 909 in 068dfb2
https://github.com/kovidgoyal/kitty/compare/v0.26.1...v0.26.2and use this as anintroduced..fixedversion range.Describe alternatives you've considered
I considered
last_affectedoverfixed, but given we already make the other assumption about commit references beingfixed, I figured we might as well double down on it here 😃Additional context
This would help the likes of CVE-2024-21534 convert in an un-analyzed state.