From ab9000042c1786a6a7e033f26ceb1e393d193f30 Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Tue, 17 Dec 2024 14:09:53 +0000 Subject: [PATCH] Similar to #99 for GO feeds Signed-off-by: Prabhu Subramanian --- pyproject.toml | 2 +- test/data/GO-2022-0251.json | 3 +-- test/data/GO-2022-0646.json | 4 +--- vdb/lib/osv.py | 7 +++---- 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 86798a8..9a6fb22 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "appthreat-vulnerability-db" -version = "6.2.1" +version = "6.2.2" description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities." authors = [ {name = "Team AppThreat", email = "cloud@appthreat.com"}, diff --git a/test/data/GO-2022-0251.json b/test/data/GO-2022-0251.json index 9bb455d..7ec8387 100644 --- a/test/data/GO-2022-0251.json +++ b/test/data/GO-2022-0251.json @@ -3,8 +3,7 @@ "summary": "Panic on NUL character in ROA in github.com/cloudflare/cfrpki", "details": "OctoRPKI crashes when a repository returns an invalid ROA that is only an encoded NUL character (\\0).", "aliases": [ - "CVE-2021-3910", - "GHSA-5mxh-2qfv-4g7j" + "CVE-2021-3910" ], "modified": "2024-05-20T16:03:47Z", "published": "2022-07-15T23:07:28Z", diff --git a/test/data/GO-2022-0646.json b/test/data/GO-2022-0646.json index 60a434a..a946f50 100644 --- a/test/data/GO-2022-0646.json +++ b/test/data/GO-2022-0646.json @@ -4,9 +4,7 @@ "modified": "2022-11-21T19:50:45Z", "aliases": [ "CVE-2020-8911", - "CVE-2020-8912", - "GHSA-7f33-f4f5-xwgw", - "GHSA-f5pg-7wfw-84q9" + "CVE-2020-8912" ], "details": "The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.\n\nFiles encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until reencrypted with the new client.", "affected": [ diff --git a/vdb/lib/osv.py b/vdb/lib/osv.py index f504c2c..7a87dd8 100644 --- a/vdb/lib/osv.py +++ b/vdb/lib/osv.py @@ -124,11 +124,10 @@ def to_vuln(cve_data): # Offer an option to ignore malware data to keep the db size small if getenv("OSV_EXCLUDE_MALWARE") and cve_id.startswith("MAL"): return ret_data - # Quality of PYSEC data is quite low missing both severity and score - # Where a PYSEC feed also reference a github id, let's ignore it since G comes before P - # so it would have gotten processed + # Quality of PYSEC and GO data are quite low missing both severity and score + # Where a PYSEC or GO feed also reference a github id, let's ignore it # Fixes #99 - if cve_id.startswith("PYSEC"): + if cve_id.startswith("PYSEC") or cve_id.startswith("GO-"): for i in aliases: if i.startswith("GHSA"): return ret_data