-
-
Notifications
You must be signed in to change notification settings - Fork 260
Fix OSV to handle affected_packages correctly & add support to collect commits #2080
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ziadhany
wants to merge
10
commits into
aboutcode-org:main
Choose a base branch
from
ziadhany:osv-migration
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
550912a
Fix OSV to handel affected_packages correctly
ziadhany 16f5710
Add more tests.
ziadhany e6299bc
Fix the test for osv pipelines
ziadhany 665d6df
Fix the test for osv pipelines
ziadhany e747fc8
Update OSV migration file
ziadhany 7116d55
Update OSV to simplify the affected/fixed package constraints
ziadhany b6bf165
Avoid mixing explicit affected packages with last known affected rang…
ziadhany d5ca5d2
Update OSV to catch error constraints correctly
ziadhany 5190bef
Add a test to ensure invalid versions are skipped
ziadhany fa1dfa2
Add a test to ensure that OSS-Fuzz uses the explicit versions correctly
ziadhany File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
22 changes: 22 additions & 0 deletions
22
vulnerabilities/migrations/0107_alter_advisoryseverity_scoring_elements.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Generated by Django 4.2.25 on 2025-12-24 07:04 | ||
|
|
||
| from django.db import migrations, models | ||
|
|
||
|
|
||
| class Migration(migrations.Migration): | ||
|
|
||
| dependencies = [ | ||
| ("vulnerabilities", "0106_alter_advisoryreference_url_and_more"), | ||
| ] | ||
|
|
||
| operations = [ | ||
| migrations.AlterField( | ||
| model_name="advisoryseverity", | ||
| name="scoring_elements", | ||
| field=models.CharField( | ||
| help_text="Supporting scoring elements used to compute the score values. For example a CVSS vector string as used to compute a CVSS score.", | ||
| max_length=200, | ||
| null=True, | ||
| ), | ||
| ), | ||
| ] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
84 changes: 84 additions & 0 deletions
84
vulnerabilities/tests/test_data/osv_test/github/github-1.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-2hjr-vmf3-xwvp", | ||
| "modified": "2024-07-26T14:18:08Z", | ||
| "published": "2024-07-26T06:30:47Z", | ||
| "aliases": [ | ||
| "CVE-2023-49921" | ||
| ], | ||
| "summary": "Elasticsearch Insertion of Sensitive Information into Log File", | ||
| "details": "An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" | ||
| }, | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.elasticsearch:elasticsearch" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "7.17.16" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.elasticsearch:elasticsearch" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "8.0.0" | ||
| }, | ||
| { | ||
| "fixed": "8.11.2" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49921" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/elastic/elasticsearch" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-532" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-07-26T14:18:08Z", | ||
| "nvd_published_at": "2024-07-26T05:15:10Z" | ||
| } | ||
| } |
64 changes: 64 additions & 0 deletions
64
vulnerabilities/tests/test_data/osv_test/github/github-2.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-2jm2-2p35-rp3j", | ||
| "modified": "2025-11-19T21:55:33Z", | ||
| "published": "2025-11-19T21:00:37Z", | ||
| "aliases": [ | ||
| "CVE-2025-65103" | ||
| ], | ||
| "summary": "OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter", | ||
| "details": "### Summary\nAn authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the `display` parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.\n\n### Details\nThe vulnerability is located in the `retrieve()` method within `src/API/Manager.php`.\n\nUser input from the `display` GET parameter is processed without proper validation. The code strips the surrounding brackets `[]`, splits the string by commas, and then passes each resulting element directly into the `selectRaw()` function of the query builder.\n\n```php\n// User input from 'display' is taken without sanitization.\n$select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null;\n\n// ...\n\n// The unsanitized input is passed directly to `selectRaw()`.\nforeach ($select as $s) {\n $query->selectRaw($s);\n}\n```\n\nSince `selectRaw()` is designed to execute raw SQL expressions, it executes any malicious SQL code provided in the `display` parameter.\n\n### PoC\n1. Log in to an OpenSTAManager instance as any user.\n2. Navigate to the user's profile page to obtain their personal API Token.\n3. Use this API token to send a specially crafted GET request to the API endpoint.\n\n**Time-Based Blind Injection Test:**\n\nReplace `<your_host>`, `<your_token>`, and `<resource_name>` with your actual values. `anagrafiche` is a valid resource.\n\n```bash\ncurl \"http://<your_host>/openstamanager/api?token=<your_token>&resource=anagrafiche&display=[1,SLEEP(5)]\"\n```\n\nThe server will delay its response by approximately 5 seconds, confirming the `SLEEP(5)` command was executed by the database.\n\n### Impact\nThis is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:\n\n* **Exfiltrate all data** from the database (e.g., user credentials, customer information, invoices, internal data).\n* **Modify or delete data**, compromising data integrity.\n* Potentially achieve further system compromise, depending on the database user's privileges and system configuration.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Packagist", | ||
| "name": "devcode-it/openstamanager" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "2.9.5" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "last_known_affected_version_range": "<= 2.9.4" | ||
| } | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j" | ||
| }, | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65103" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/devcode-it/openstamanager" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-89" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2025-11-19T21:00:37Z", | ||
| "nvd_published_at": "2025-11-19T20:15:54Z" | ||
| } | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is a maximum length of 200 characters enough for CVSS v4? I think so.