Similar to #99 for GO feeds

Signed-off-by: Prabhu Subramanian <[email protected]>
AppThreat · Dec 17, 2024 · ab90000 · ab90000
1 parent bf95d7d
commit ab90000
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 10 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "6.2.1"
+version = "6.2.2"
 description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "[email protected]"},

diff --git a/test/data/GO-2022-0251.json b/test/data/GO-2022-0251.json
@@ -3,8 +3,7 @@
   "summary": "Panic on NUL character in ROA in github.com/cloudflare/cfrpki",
   "details": "OctoRPKI crashes when a repository returns an invalid ROA that is only an encoded NUL character (\\0).",
   "aliases": [
-    "CVE-2021-3910",
-    "GHSA-5mxh-2qfv-4g7j"
+    "CVE-2021-3910"
   ],
   "modified": "2024-05-20T16:03:47Z",
   "published": "2022-07-15T23:07:28Z",

diff --git a/test/data/GO-2022-0646.json b/test/data/GO-2022-0646.json
@@ -4,9 +4,7 @@
     "modified": "2022-11-21T19:50:45Z",
     "aliases": [
       "CVE-2020-8911",
-      "CVE-2020-8912",
-      "GHSA-7f33-f4f5-xwgw",
-      "GHSA-f5pg-7wfw-84q9"
+      "CVE-2020-8912"
     ],
     "details": "The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.\n\nFiles encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until reencrypted with the new client.",
     "affected": [

diff --git a/vdb/lib/osv.py b/vdb/lib/osv.py
@@ -124,11 +124,10 @@ def to_vuln(cve_data):
         # Offer an option to ignore malware data to keep the db size small
         if getenv("OSV_EXCLUDE_MALWARE") and cve_id.startswith("MAL"):
             return ret_data
-        # Quality of PYSEC data is quite low missing both severity and score
-        # Where a PYSEC feed also reference a github id, let's ignore it since G comes before P
-        #   so it would have gotten processed
+        # Quality of PYSEC and GO data are quite low missing both severity and score
+        # Where a PYSEC or GO feed also reference a github id, let's ignore it
         # Fixes #99
-        if cve_id.startswith("PYSEC"):
+        if cve_id.startswith("PYSEC") or cve_id.startswith("GO-"):
             for i in aliases:
                 if i.startswith("GHSA"):
                     return ret_data