Merge branch 'master' into relock

.github/workflows/staleness.yml

@@ -12,13 +12,21 @@ jobs:
           days-before-stale: 60
           days-before-close: 14
           operations-per-run: 100
-          stale-issue-label: stale
-          stale-pr-label: stale
           remove-stale-when-updated: true
           exempt-issue-labels: "good first issue,backlog"
           exempt-all-assignees: true
           ignore-updates: false
-          stale-issue-message: "This issue has not had any activity for 60 days and will be automatically closed in two weeks"
-          stale-pr-message: "This pull request has not had any activity for 60 days and will be automatically closed in two weeks"
-          close-issue-message: "Automatically closing stale issue"
-          close-pr-message: "Automatically closing stale pull request"
+          stale-issue-label: stale
+          stale-issue-message: |
+            This issue has not had any activity for 60 days and will be automatically closed in two weeks
+
+            See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.
+          stale-pr-label: stale
+          stale-pr-message: |
+            This pull request has not had any activity for 60 days and will be automatically closed in two weeks
+          close-issue-label: "autoclosed"
+          close-issue-message: |
+            Automatically closing stale issue
+          close-pr-label: "autoclosed"
+          close-pr-message: |
+            Automatically closing stale pull request

gcp/api/Pipfile

@@ -5,8 +5,8 @@ name = "pypi"
 
 [packages]
 google-cloud-ndb = "==2.3.1"
-google-cloud-logging = "==3.10.0"
-packageurl-python = "==0.15.1"
+google-cloud-logging = "==3.11.0"
+packageurl-python = "==0.15.6"
 packaging = "==20.9"
 requests = "==2.32.3"
 grpcio = "==1.64.1"

gcp/api/pyproject.toml

@@ -6,8 +6,8 @@ package-mode = false
 python = "^3.11"
 
 google-cloud-ndb = "==2.3.1"
-google-cloud-logging = "==3.10.0"
-packageurl-python = "==0.15.1"
+google-cloud-logging = "==3.11.0"
+packageurl-python = "==0.15.6"
 packaging = "==20.9"
 requests = "==2.32.3"
 grpcio = "==1.64.1"

source.yaml

@@ -6,7 +6,7 @@
   repo_url: https://github.com/AlmaLinux/osv-database.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: ALBA-
+  db_prefix: ['ALBA-']
   ignore_git: False
   human_link: 'https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html'
   link: https://github.com/AlmaLinux/osv-database/blob/master/
@@ -20,7 +20,7 @@
   repo_url: https://github.com/AlmaLinux/osv-database.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: ALEA-
+  db_prefix: ['ALEA-']
   ignore_git: False
   human_link: 'https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html'
   link: https://github.com/AlmaLinux/osv-database/blob/master/
@@ -34,7 +34,7 @@
   repo_url: https://github.com/AlmaLinux/osv-database.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: ALSA-
+  db_prefix: ['ALSA-']
   ignore_git: False
   human_link: 'https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html'
   link: https://github.com/AlmaLinux/osv-database/blob/master/
@@ -47,7 +47,7 @@
   detect_cherrypicks: False
   extension: .json
   bucket: android-osv
-  db_prefix: A-
+  db_prefix: ['A-', 'ASB-A', 'PUB-A']
   ignore_git: True
   link: https://storage.googleapis.com/android-osv/
   editable: False
@@ -60,7 +60,7 @@
   repo_url: https://github.com/bitnami/vulndb.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: BIT-
+  db_prefix: ['BIT-']
   ignore_git: False
   link: https://github.com/bitnami/vulndb/tree/main/
   editable: False
@@ -73,7 +73,7 @@
   directory_path: 'chainguard/osv'
   detect_cherrypicks: False
   extension: '.json'
-  db_prefix: 'CGA-'
+  db_prefix: ['CGA-']
   ignore_git: True
   link: 'https://packages.cgr.dev/chainguard/osv/'
   editable: False
@@ -86,7 +86,7 @@
   directory_path: docs
   detect_cherrypicks: False
   extension: .json
-  db_prefix: CURL-
+  db_prefix: ['CURL-']
   ignore_git: True
   human_link: 'https://curl.se/docs/{{ BUG_ID | replace("CURL-", "") }}.html'
   link: https://curl.se/docs/
@@ -100,7 +100,7 @@
   detect_cherrypicks: False
   extension: .json
   bucket: cve-osv-conversion
-  db_prefix: CVE-
+  db_prefix: ['CVE-']
   ignore_git: False
   human_link: 'https://nvd.nist.gov/vuln/detail/{{ BUG_ID }}'
   link: https://storage.googleapis.com/cve-osv-conversion/
@@ -114,7 +114,7 @@
   detect_cherrypicks: False
   extension: .json
   bucket: debian-osv
-  db_prefix: DLA-
+  db_prefix: ['DLA-']
   ignore_git: True
   human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}'
   link: https://storage.googleapis.com/debian-osv/
@@ -128,7 +128,7 @@
   detect_cherrypicks: False
   extension: .json
   bucket: debian-osv
-  db_prefix: DSA-
+  db_prefix: ['DSA-']
   ignore_git: True
   human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}'
   link: https://storage.googleapis.com/debian-osv/
@@ -142,7 +142,7 @@
   detect_cherrypicks: False
   extension: .json
   bucket: debian-osv
-  db_prefix: DTSA-
+  db_prefix: ['DTSA-']
   ignore_git: True
   human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}'
   link: https://storage.googleapis.com/debian-osv/
@@ -156,7 +156,7 @@
   repo_url: https://github.com/github/advisory-database.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: GHSA-
+  db_prefix: ['GHSA-']
   ignore_git: True
   human_link: 'https://github.com/advisories/{{ BUG_ID }}'
   link: https://github.com/github/advisory-database/blob/main/
@@ -170,7 +170,7 @@
   detect_cherrypicks: True
   extension: .json
   bucket: go-vulndb
-  db_prefix: GO-
+  db_prefix: ['GO-']
   ignore_git: True
   human_link: 'https://pkg.go.dev/vuln/{{ BUG_ID }}'
   link: https://vuln.go.dev/
@@ -184,7 +184,7 @@
   repo_url: https://github.com/haskell/security-advisories.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: HSEC-
+  db_prefix: ['HSEC-']
   ignore_git: False
   link: https://github.com/haskell/security-advisories/blob/generated/osv-export/
   editable: False
@@ -198,7 +198,7 @@
   repo_url: https://github.com/ossf/malicious-packages.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: MAL-
+  db_prefix: ['MAL-']
   ignore_git: False
   link: https://github.com/ossf/malicious-packages/blob/main/
   editable: False
@@ -211,7 +211,7 @@
   repo_url: ssh://github.com/google/oss-fuzz-vulns
   detect_cherrypicks: True
   extension: .yaml
-  db_prefix: OSV-
+  db_prefix: ['OSV-']
   ignore_git: False
   link: https://github.com/google/oss-fuzz-vulns/blob/main/
   editable: True
@@ -225,7 +225,7 @@
   repo_url: https://github.com/psf/advisory-database.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: PSF-
+  db_prefix: ['PSF-']
   ignore_git: False
   link: https://github.com/psf/advisory-database/blob/main/
   editable: False
@@ -238,7 +238,7 @@
   repo_url: ssh://github.com/pypa/advisory-database
   detect_cherrypicks: False
   extension: .yaml
-  db_prefix: PYSEC-
+  db_prefix: ['PYSEC-']
   ignore_git: False
   link: https://github.com/pypa/advisory-database/blob/main/
   editable: False
@@ -252,7 +252,7 @@
   repo_url: https://github.com/RConsortium/r-advisory-database.git
   detect_cherrypicks: False
   extension: .yaml
-  db_prefix: RSEC-
+  db_prefix: ['RSEC-']
   ignore_git: False
   link: https://github.com/RConsortium/r-advisory-database/blob/main/
   editable: False
@@ -264,7 +264,7 @@
   detect_cherrypicks: False
   extension: .json
   bucket: resf-osv-data
-  db_prefix: RLSA-
+  db_prefix: ['RLSA-']
   ignore_git: False
   link: https://storage.googleapis.com/resf-osv-data/
   editable: False
@@ -276,7 +276,7 @@
   detect_cherrypicks: False
   extension: .json
   bucket: resf-osv-data
-  db_prefix: RXSA-
+  db_prefix: ['RXSA-']
   ignore_git: False
   link: https://storage.googleapis.com/resf-osv-data/
   editable: False
@@ -290,7 +290,7 @@
   repo_url: https://github.com/rustsec/advisory-db.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: RUSTSEC-
+  db_prefix: ['RUSTSEC-']
   ignore_git: False
   human_link: 'https://rustsec.org/advisories/{{ BUG_ID }}'
   link: https://github.com/rustsec/advisory-db/blob/osv/
@@ -305,7 +305,7 @@
   repo_url: 'https://github.com/canonical/ubuntu-security-notices.git'
   detect_cherrypicks: False
   extension: '.json'
-  db_prefix: 'USN-'
+  db_prefix: ['USN-']
   ignore_git: False
   human_link: 'https://ubuntu.com/security/notices/{{ BUG_ID }}'
   link: 'https://github.com/canonical/ubuntu-security-notices/blob/main/'
@@ -318,7 +318,7 @@
   repo_url: https://github.com/cloudsecurityalliance/gsd-database.git
   detect_cherrypicks: False
   extension: .json
-  db_prefix: GSD-
+  db_prefix: ['GSD-']
   ignore_git: False
   link: https://github.com/cloudsecurityalliance/gsd-database/blob/main/
   editable: False

tools/datafix/reimport_gcs_record.py

@@ -171,7 +171,12 @@ def main() -> None:
   try:
     with ds_client.transaction() as xact:
       for bug in result_to_fix:
-        bug_in_gcs = objname_for_bug(ds_client, bug)
+        try:
+          bug_in_gcs = objname_for_bug(ds_client, bug)
+        except UnexpectedSituation as e:
+          if args.verbose:
+            print(f"Skipping {bug['db_id']}, got {e}\n")
+          continue
         if args.verbose:
           print(f"Resetting creation time for {bug_in_gcs['uri']}")
         if not args.dryrun: