[vulndb] internal/osv, all: refactor osv (renames etc.)
2 views
Skip to first unread message
Tatiana Bradley (Gerrit)
Mar 31, 2023, 4:05:52 PM3/31/23
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Julie Qiu, Gopher Robot, golang-co...@googlegroups.com
Tatiana Bradley submitted this change.
Approvals:
Julie Qiu: Looks good to me, approved
Tatiana Bradley: Looks good to me, but someone else must approve; Run TryBots
Gopher Robot: TryBots succeeded
internal/osv, all: refactor osv (renames etc.)
This change re-names and adds comments to various fields of the
osv.Entry struct. It does not make any changes that affect the published
OSV.
Change-Id: I6da67baca873f7f883d8c1882f48f322cc97d515
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/480276
Reviewed-by: Julie Qiu <juli...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Reviewed-by: Tatiana Bradley <tatiana...@google.com>
Run-TryBot: Tatiana Bradley <tatiana...@google.com>
---
M cmd/vulnreport/exported_functions.go
M cmd/vulnreport/main.go
M internal/database/from_repo_test.go
M internal/database/legacydb/load.go
M internal/database/legacydb/load_test.go
M internal/database/new.go
M internal/database/new_test.go
M internal/osv/osv.go
M internal/report/lint.go
M internal/report/lint_test.go
M internal/report/osv.go
M internal/report/osv_test.go
M internal/report/references.go
M internal/report/report.go
M internal/semver/affects.go
M internal/semver/affects_test.go
16 files changed, 370 insertions(+), 268 deletions(-)
diff --git a/cmd/vulnreport/exported_functions.go b/cmd/vulnreport/exported_functions.go
index d126ee9..b94aafc 100644
--- a/cmd/vulnreport/exported_functions.go
+++ b/cmd/vulnreport/exported_functions.go
@@ -17,6 +17,7 @@
"golang.org/x/vuln/osv"
"golang.org/x/vuln/vulncheck"
"golang.org/x/vulndb/internal/derrors"
+ iosv "golang.org/x/vulndb/internal/osv"
"golang.org/x/vulndb/internal/report"
"golang.org/x/vulndb/internal/stdlib"
)
@@ -107,9 +108,9 @@
name := m.Module
switch name {
case stdlib.ModulePath:
- name = report.GoStdModulePath
+ name = iosv.GoStdModulePath
case stdlib.ToolchainModulePath:
- name = report.GoCmdModulePath
+ name = iosv.GoCmdModulePath
}
imps := make([]osv.EcosystemSpecificImport, 0)
for _, p := range m.Packages {
@@ -140,7 +141,7 @@
Name: name,
Ecosystem: osv.GoEcosystem,
},
- Ranges: osv.Affects{a},
+ Ranges: []osv.AffectsRange{a},
EcosystemSpecific: osv.EcosystemSpecific{
Imports: imps,
},
diff --git a/cmd/vulnreport/main.go b/cmd/vulnreport/main.go
index 8111284..527e061 100644
--- a/cmd/vulnreport/main.go
+++ b/cmd/vulnreport/main.go
@@ -38,6 +38,7 @@
"golang.org/x/vulndb/internal/ghsa"
"golang.org/x/vulndb/internal/gitrepo"
"golang.org/x/vulndb/internal/issues"
+ "golang.org/x/vulndb/internal/osv"
"golang.org/x/vulndb/internal/report"
isem "golang.org/x/vulndb/internal/semver"
)
@@ -581,13 +582,13 @@
// in the report.
func addReferenceTODOs(r *report.Report) {
todos := []*report.Reference{
- {Type: report.ReferenceTypeAdvisory, URL: "TODO: canonical security advisory"},
- {Type: report.ReferenceTypeArticle, URL: "TODO: article or blog post"},
- {Type: report.ReferenceTypeReport, URL: "TODO: issue tracker link"},
- {Type: report.ReferenceTypeFix, URL: "TODO: PR or commit"},
- {Type: report.ReferenceTypeWeb, URL: "TODO: web page of some unspecified kind"}}
+ {Type: osv.ReferenceTypeAdvisory, URL: "TODO: canonical security advisory"},
+ {Type: osv.ReferenceTypeArticle, URL: "TODO: article or blog post"},
+ {Type: osv.ReferenceTypeReport, URL: "TODO: issue tracker link"},
+ {Type: osv.ReferenceTypeFix, URL: "TODO: PR or commit"},
+ {Type: osv.ReferenceTypeWeb, URL: "TODO: web page of some unspecified kind"}}
- types := make(map[report.ReferenceType]bool)
+ types := make(map[osv.ReferenceType]bool)
for _, r := range r.References {
types[r.Type] = true
}
diff --git a/internal/database/from_repo_test.go b/internal/database/from_repo_test.go
index a71ef5a..7314e59 100644
--- a/internal/database/from_repo_test.go
+++ b/internal/database/from_repo_test.go
@@ -22,12 +22,12 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "stdlib",
+ Module: osv.Module{
+ Path: "stdlib",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER",
Events: []osv.RangeEvent{
{Introduced: "0"}, {Fixed: "1.1.0"},
@@ -36,8 +36,8 @@
}}},
DatabaseSpecific: osv.DatabaseSpecific{
URL: "https://pkg.go.dev/vuln/GO-1999-0001"},
- EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{{Path: "package", Symbols: []string{"Symbol"}}}}},
+ EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{{Path: "package", Symbols: []string{"Symbol"}}}}},
},
References: []osv.Reference{
{Type: "FIX", URL: "https://example.com/cl/123"},
@@ -50,17 +50,17 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "example.com/module",
+ Module: osv.Module{
+ Path: "example.com/module",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER", Events: []osv.RangeEvent{{Introduced: "0"},
{Fixed: "1.2.0"},
}}},
- DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-2000-0002"}, EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{{Path: "example.com/module/package",
+ DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-2000-0002"}, EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{{Path: "example.com/module/package",
Symbols: []string{"Symbol"},
}}}}},
References: []osv.Reference{
@@ -74,12 +74,12 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "example.com/module",
+ Module: osv.Module{
+ Path: "example.com/module",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER",
Events: []osv.RangeEvent{
{Introduced: "0"}, {Fixed: "1.1.0"},
@@ -87,7 +87,7 @@
DatabaseSpecific: osv.DatabaseSpecific{
URL: "https://pkg.go.dev/vuln/GO-2000-0003",
},
- EcosystemSpecific: osv.EcosystemSpecific{Imports: []osv.EcosystemSpecificImport{
+ EcosystemSpecific: &osv.EcosystemSpecific{Packages: []osv.Package{
{
Path: "example.com/module/package",
Symbols: []string{"Symbol"},
diff --git a/internal/database/legacydb/load.go b/internal/database/legacydb/load.go
index 6fb9771..29b7edd 100644
--- a/internal/database/legacydb/load.go
+++ b/internal/database/legacydb/load.go
@@ -160,7 +160,7 @@
var found bool
for _, affected := range entry.Affected {
- m := affected.Package.Name
+ m := affected.Module.Path
if m == module {
found = true
break
@@ -177,7 +177,7 @@
for id, entry := range d.EntriesByID {
for _, affected := range entry.Affected {
- module := affected.Package.Name
+ module := affected.Module.Path
entries, ok := d.EntriesByModule[module]
if !ok || len(entries) == 0 {
return fmt.Errorf("module %s not found (referenced by %s)", module, id)
diff --git a/internal/database/legacydb/load_test.go b/internal/database/legacydb/load_test.go
index 96a8109..cba80c0 100644
--- a/internal/database/legacydb/load_test.go
+++ b/internal/database/legacydb/load_test.go
@@ -27,12 +27,12 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "example.com/module",
+ Module: osv.Module{
+ Path: "example.com/module",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER",
Events: []osv.RangeEvent{
{Introduced: "0"}, {Fixed: "1.1.0"},
@@ -41,8 +41,8 @@
}}},
DatabaseSpecific: osv.DatabaseSpecific{
URL: "https://pkg.go.dev/vuln/GO-1999-0001"},
- EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{{Path: "package", Symbols: []string{"Symbol"}}}}},
+ EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{{Path: "package", Symbols: []string{"Symbol"}}}}},
},
References: []osv.Reference{
{Type: "FIX", URL: "https://example.com/cl/123"},
@@ -55,17 +55,17 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "example.com/module2",
+ Module: osv.Module{
+ Path: "example.com/module2",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER", Events: []osv.RangeEvent{{Introduced: "0"},
{Fixed: "1.2.0"},
}}},
- DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-2000-0002"}, EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{{Path: "package",
+ DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-2000-0002"}, EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{{Path: "package",
Symbols: []string{"Symbol"},
}}}}},
References: []osv.Reference{
@@ -79,12 +79,12 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "example.com/module2",
+ Module: osv.Module{
+ Path: "example.com/module2",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER",
Events: []osv.RangeEvent{
{Introduced: "0"}, {Fixed: "1.1.0"},
@@ -92,7 +92,7 @@
DatabaseSpecific: osv.DatabaseSpecific{
URL: "https://pkg.go.dev/vuln/GO-2000-0003",
},
- EcosystemSpecific: osv.EcosystemSpecific{Imports: []osv.EcosystemSpecificImport{
+ EcosystemSpecific: &osv.EcosystemSpecific{Packages: []osv.Package{
{
Path: "package",
Symbols: []string{"Symbol"},
@@ -217,8 +217,8 @@
{ID: "GO-1999-0001", Modified: jan1999,
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "module",
+ Module: osv.Module{
+ Path: "module",
},
},
}},
@@ -226,8 +226,8 @@
EntriesByID: EntriesByID{"GO-1999-0001": {ID: "GO-1999-0001",
Modified: jan1999, Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "module",
+ Module: osv.Module{
+ Path: "module",
},
},
}}},
@@ -242,8 +242,8 @@
EntriesByID: EntriesByID{"GO-1999-0001": {ID: "GO-1999-0001",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "a/module",
+ Module: osv.Module{
+ Path: "a/module",
},
},
},
@@ -269,8 +269,8 @@
{ID: "GO-1999-0002",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "module",
+ Module: osv.Module{
+ Path: "module",
},
},
},
@@ -278,16 +278,16 @@
EntriesByID: EntriesByID{"GO-1999-0001": {ID: "GO-1999-0001",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "module",
+ Module: osv.Module{
+ Path: "module",
},
},
},
}, "GO-1999-0002": {ID: "GO-1999-0002",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "module",
+ Module: osv.Module{
+ Path: "module",
},
},
},
diff --git a/internal/database/new.go b/internal/database/new.go
index 32962e9..591208c 100644
--- a/internal/database/new.go
+++ b/internal/database/new.go
@@ -52,7 +52,7 @@
func (m *ModulesIndex) add(entry osv.Entry) {
for _, affected := range entry.Affected {
- modulePath := affected.Package.Name
+ modulePath := affected.Module.Path
if _, ok := (*m)[modulePath]; !ok {
(*m)[modulePath] = &Module{
Path: modulePath,
@@ -80,7 +80,7 @@
return nil
}
-func latestFixedVersion(ranges osv.Affects) string {
+func latestFixedVersion(ranges []osv.Range) string {
var latestFixed report.Version
for _, r := range ranges {
if r.Type == "SEMVER" {
diff --git a/internal/database/new_test.go b/internal/database/new_test.go
index 852f72b..50c2341 100644
--- a/internal/database/new_test.go
+++ b/internal/database/new_test.go
@@ -25,12 +25,12 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "stdlib",
+ Module: osv.Module{
+ Path: "stdlib",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER",
Events: []osv.RangeEvent{
{Introduced: "0"}, {Fixed: "1.1.0"},
@@ -39,8 +39,8 @@
}}},
DatabaseSpecific: osv.DatabaseSpecific{
URL: "https://pkg.go.dev/vuln/GO-1999-0001"},
- EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{{Path: "package", Symbols: []string{"Symbol"}}}}},
+ EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{{Path: "package", Symbols: []string{"Symbol"}}}}},
},
References: []osv.Reference{
{Type: "FIX", URL: "https://example.com/cl/123"},
@@ -53,17 +53,17 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "example.com/module",
+ Module: osv.Module{
+ Path: "example.com/module",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER", Events: []osv.RangeEvent{{Introduced: "0"},
{Fixed: "1.2.0"},
}}},
- DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-2000-0002"}, EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{{Path: "example.com/module/package",
+ DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-2000-0002"}, EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{{Path: "example.com/module/package",
Symbols: []string{"Symbol"},
}}}}},
References: []osv.Reference{
@@ -77,12 +77,12 @@
Details: "Some details",
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "example.com/module",
+ Module: osv.Module{
+ Path: "example.com/module",
Ecosystem: "Go",
},
- Ranges: osv.Affects{
- osv.AffectsRange{
+ Ranges: []osv.Range{
+ {
Type: "SEMVER",
Events: []osv.RangeEvent{
{Introduced: "0"}, {Fixed: "1.1.0"},
@@ -90,7 +90,7 @@
DatabaseSpecific: osv.DatabaseSpecific{
URL: "https://pkg.go.dev/vuln/GO-2000-0003",
},
- EcosystemSpecific: osv.EcosystemSpecific{Imports: []osv.EcosystemSpecificImport{
+ EcosystemSpecific: &osv.EcosystemSpecific{Packages: []osv.Package{
{
Path: "example.com/module/package",
Symbols: []string{"Symbol"},
@@ -123,18 +123,18 @@
func TestLatestFixedVerion(t *testing.T) {
tests := []struct {
name string
- ranges []osv.AffectsRange
+ ranges []osv.Range
want string
}{
{
name: "empty",
- ranges: []osv.AffectsRange{},
+ ranges: []osv.Range{},
want: "",
},
{
name: "no fix",
- ranges: []osv.AffectsRange{{
- Type: osv.TypeSemver,
+ ranges: []osv.Range{{
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Introduced: "0",
@@ -145,8 +145,8 @@
},
{
name: "unsorted",
- ranges: []osv.AffectsRange{{
- Type: osv.TypeSemver,
+ ranges: []osv.Range{{
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Fixed: "1.0.0",
@@ -166,8 +166,8 @@
},
{
name: "multiple ranges",
- ranges: []osv.AffectsRange{{
- Type: osv.TypeSemver,
+ ranges: []osv.Range{{
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Introduced: "0",
@@ -178,7 +178,7 @@
},
},
{
- Type: osv.TypeSemver,
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Introduced: "0",
@@ -192,8 +192,8 @@
},
{
name: "pseudoversion",
- ranges: []osv.AffectsRange{{
- Type: osv.TypeSemver,
+ ranges: []osv.Range{{
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Introduced: "0",
diff --git a/internal/osv/osv.go b/internal/osv/osv.go
index 682bee7..223516b 100644
--- a/internal/osv/osv.go
+++ b/internal/osv/osv.go
@@ -2,8 +2,11 @@
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
-// Package osv implements the OSV shared vulnerability
-// format, as defined by https://ossf.github.io/osv-schema.
+// Package osv implements the Go OSV vulnerability format
+// (https://go.dev/security/vuln/database#schema), which is a subset of
+// the OSV shared vulnerability format
+// (https://ossf.github.io/osv-schema), with database and
+// ecosystem-specific meanings and fields.
//
// As this package is intended for use with the Go vulnerability
// database, only the subset of features which are used by that
@@ -13,101 +16,222 @@
import "time"
-type AffectsRangeType string
+// RangeType specifies the type of version range being recorded and
+// defines the interpretation of the RangeEvent object's Introduced
+// and Fixed fields.
+//
+// In this implementation, only the "SEMVER" type is supported.
+//
+// See https://ossf.github.io/osv-schema/#affectedrangestype-field.
+type RangeType string
-const (
- TypeUnspecified AffectsRangeType = "UNSPECIFIED"
- TypeGit AffectsRangeType = "GIT"
- TypeSemver AffectsRangeType = "SEMVER"
-)
+// RangeTypeSemver indicates a semantic version as defined by
+// SemVer 2.0.0, with no leading "v" prefix.
+const RangeTypeSemver RangeType = "SEMVER"
+// Ecosystem identifies the overall library ecosystem.
+// In this implementation, only the "Go" ecosystem is supported.
type Ecosystem string
+// GoEcosystem indicates the Go ecosystem.
const GoEcosystem Ecosystem = "Go"
-type Package struct {
- Name string `json:"name"`
+// Pseudo-module paths used to describe vulnerabilities
+// in the Go standard library and toolchain.
+const (
+ // GoStdModulePath is the pseudo-module path string used
+ // to describe vulnerabilities in the Go standard library.
+ GoStdModulePath = "stdlib"
+ // GoCmdModulePath is the pseudo-module path string used
+ // to describe vulnerabilities in the go command.
+ GoCmdModulePath = "toolchain"
+)
+
+// Module identifies the Go module containing the vulnerability.
+// Note that this field is called "package" in the OSV specification.
+//
+// See https://ossf.github.io/osv-schema/#affectedpackage-field.
+type Module struct {
+ // The Go module path. Required.
+ // For the Go standard library, this is "stdlib".
+ // For the Go toolchain, this is "toolchain."
+ Path string `json:"name"`
+ // The ecosystem containing the module. Required.
+ // This should always be "Go".
Ecosystem Ecosystem `json:"ecosystem"`
}
+// RangeEvent describes a single module version that either
+// introduces or fixes a vulnerability.
+//
+// Exactly one of Introduced and Fixed must be present. Other range
+// event types (e.g, "last_affected" and "limit") are not supported in
+// this implementation.
+//
+// See https://ossf.github.io/osv-schema/#affectedrangesevents-fields.
type RangeEvent struct {
+ // Introduced is a version that introduces the vulnerability.
+ // A special value, "0", represents a version that sorts before
+ // any other version, and should be used to indicate that the
+ // vulnerability exists from the "beginning of time".
Introduced string `json:"introduced,omitempty"`
- Fixed string `json:"fixed,omitempty"`
+ // Fixed is a version that fixes the vulnerability.
+ Fixed string `json:"fixed,omitempty"`
}
-type AffectsRange struct {
- Type AffectsRangeType `json:"type"`
- Events []RangeEvent `json:"events"`
+// Range describes the affected versions of the vulnerable module.
+//
+// See https://ossf.github.io/osv-schema/#affectedranges-field.
+type Range struct {
+ // Type is the version type that should be used to interpret the
+ // versions in Events. Required.
+ // In this implementation, only the "SEMVER" type is supported.
+ Type RangeType `json:"type"`
+ // Events is a list of versions representing the ranges in which
+ // the module is vulnerable. Required.
+ // The events should be sorted, and MUST represent non-overlapping
+ // ranges.
+ // There must be at least one RangeEvent containing a value for
+ // Introduced.
+ // See https://ossf.github.io/osv-schema/#examples for examples.
+ Events []RangeEvent `json:"events"`
}
-type Affects []AffectsRange
+// Reference type is a reference (link) type.
+type ReferenceType string
+const (
+ // ReferenceTypeAdvisory is a published security advisory for
+ // the vulnerability.
+ ReferenceTypeAdvisory = ReferenceType("ADVISORY")
+ // ReferenceTypeArticle is an article or blog post describing the vulnerability.
+ ReferenceTypeArticle = ReferenceType("ARTICLE")
+ // ReferenceTypeReport is a report, typically on a bug or issue tracker, of
+ // the vulnerability.
+ ReferenceTypeReport = ReferenceType("REPORT")
+ // ReferenceTypeFix is a source code browser link to the fix (e.g., a GitHub commit).
+ ReferenceTypeFix = ReferenceType("FIX")
+ // ReferenceTypePackage is a home web page for the package.
+ ReferenceTypePackage = ReferenceType("PACKAGE")
+ // ReferenceTypeEvidence is a demonstration of the validity of a vulnerability claim.
+ ReferenceTypeEvidence = ReferenceType("EVIDENCE")
+ // ReferenceTypeWeb is a web page of some unspecified kind.
+ ReferenceTypeWeb = ReferenceType("WEB")
+)
+
+// ReferenceTypes is the set of reference types defined in OSV.
+var ReferenceTypes = []ReferenceType{
+ ReferenceTypeAdvisory,
+ ReferenceTypeArticle,
+ ReferenceTypeReport,
+ ReferenceTypeFix,
+ ReferenceTypePackage,
+ ReferenceTypeEvidence,
+ ReferenceTypeWeb,
+}
+
+// Reference is a reference URL containing additional information,
+// advisories, issue tracker entries, etc., about the vulnerability.
+//
+// See https://ossf.github.io/osv-schema/#references-field.
type Reference struct {
- Type string `json:"type"`
- URL string `json:"url"`
+ // The type of reference. Required.
+ Type ReferenceType `json:"type"`
+ // The fully-qualified URL of the reference. Required.
+ URL string `json:"url"`
}
+// Affected gives details about a module affected by the vulnerability.
+//
+// See https://ossf.github.io/osv-schema/#affected-fields.
type Affected struct {
- Package Package `json:"package"`
- Ranges Affects `json:"ranges,omitempty"`
- DatabaseSpecific DatabaseSpecific `json:"database_specific"`
- EcosystemSpecific EcosystemSpecific `json:"ecosystem_specific"`
+ // The affected Go module. Required.
+ // Note that this field is called "package" in the OSV specification.
+ Module Module `json:"package"`
+ // The module version ranges affected by the vulnerability.
+ Ranges []Range `json:"ranges,omitempty"`
+ DatabaseSpecific DatabaseSpecific `json:"database_specific"`
+ // Details on the affected packages and symbols within the module.
+ EcosystemSpecific *EcosystemSpecific `json:"ecosystem_specific,omitempty"`
}
type DatabaseSpecific struct {
URL string `json:"url"`
}
-// EcosytemSpecificImport contains additional information about an affected package.
-type EcosystemSpecificImport struct {
- // Path is the package import path.
- Path string `json:"path,omitempty"`
-
+// Package contains additional information about an affected package.
+// This is an ecosystem-specific field for the Go ecosystem.
+type Package struct {
+ // Path is the package import path. Required.
+ Path string `json:"path"`
// GOOS is the execution operating system where the symbols appear, if
// known.
GOOS []string `json:"goos,omitempty"`
-
// GOARCH specifies the execution architecture where the symbols appear, if
// known.
GOARCH []string `json:"goarch,omitempty"`
-
- // Symbols is the collection of functions and methods names affected by
+ // Symbols is a list of function and method names affected by
// this vulnerability. Methods are listed as <recv>.<method>.
//
// If included, only programs which use these symbols will be marked as
- // vulnerable. If omitted, any program which imports this module will be
- // marked vulnerable.
- //
- // These should be the symbols initially detected or identified in the CVE
- // or other source.
+ // vulnerable by `govulncheck`. If omitted, any program which imports this
+ // package will be marked vulnerable.
Symbols []string `json:"symbols,omitempty"`
}
-// EcosystemSpecific contains additional information about the vulnerability
-// for the Go ecosystem.
+// EcosystemSpecific contains additional information about the vulnerable
+// module for the Go ecosystem.
+//
+// See https://go.dev/security/vuln/database#schema.
type EcosystemSpecific struct {
- // Imports is the list of affected packages within the module.
- Imports []EcosystemSpecificImport `json:"imports,omitempty"`
+ // Packages is the list of affected packages within the module.
+ Packages []Package `json:"imports,omitempty"`
}
-// Entry represents a OSV style JSON vulnerability database
-// entry
+// Entry represents a vulnerability in the Go OSV format, documented
+// in https://go.dev/security/vuln/database#schema.
+// It is a subset of the OSV schema (https://ossf.github.io/osv-schema).
+// Only fields that are published in the Go Vulnerability Database
+// are supported.
type Entry struct {
- ID string `json:"id"`
- Published time.Time `json:"published,omitempty"`
- Modified time.Time `json:"modified,omitempty"`
- Withdrawn *time.Time `json:"withdrawn,omitempty"`
- Aliases []string `json:"aliases,omitempty"`
- Details string `json:"details"`
- Affected []Affected `json:"affected"`
- References []Reference `json:"references,omitempty"`
- Credits []Credit `json:"credits,omitempty"`
- SchemaVersion string `json:"schema_version,omitempty"`
+ // ID is a unique identifier for the vulnerability. Required.
+ // The Go vulnerability database issues IDs of the form
+ // GO-<YEAR>-<ENTRYID>.
+ ID string `json:"id"`
+ // Published is the time the entry should be considered to have
+ // been published.
+ Published time.Time `json:"published,omitempty"`
+ // Modified is the time the entry was last modified. Required.
+ Modified time.Time `json:"modified,omitempty"`
+ // Withdrawn is the time the entry should be considered to have
+ // been withdrawn. If the field is missing, then the entry has
+ // not been withdrawn.
+ Withdrawn *time.Time `json:"withdrawn,omitempty"`
+ // Aliases is a list of IDs for the same vulnerability in other
+ // databases.
+ Aliases []string `json:"aliases,omitempty"`
+ // Details contains English textual details about the vulnerability.
+ Details string `json:"details"`
+ // Affected contains information on the modules and versions
+ // affected by the vulnerability.
+ Affected []Affected `json:"affected"`
+ // References contains links to more information about the
+ // vulnerability.
+ References []Reference `json:"references,omitempty"`
+ // Credits contains credits to entities that helped find or fix the
+ // vulnerability.
+ Credits []Credit `json:"credits,omitempty"`
+ // SchemaVersion is the OSV schema version used to encode this
+ // vulnerability.
+ SchemaVersion string `json:"schema_version,omitempty"`
}
-// Credit represents an OSV style Credit to give credit
-// for the Entry
+// Credit represents a credit for the discovery, confirmation, patch, or
+// other event in the life cycle of a vulnerability.
+//
+// See https://ossf.github.io/osv-schema/#credits-fields.
type Credit struct {
- Name string `json:"name,omitempty"`
- Contact []string `json:"contact,omitempty"`
+ // Name is the name, label, or other identifier of the individual or
+ // entity being credited. Required.
+ Name string `json:"name"`
}
diff --git a/internal/report/lint.go b/internal/report/lint.go
index d0e0cbb..134f427 100644
--- a/internal/report/lint.go
+++ b/internal/report/lint.go
@@ -19,6 +19,7 @@
"golang.org/x/mod/modfile"
"golang.org/x/mod/module"
"golang.org/x/mod/semver"
+ "golang.org/x/vulndb/internal/osv"
"golang.org/x/vulndb/internal/stdlib"
)
@@ -239,19 +240,19 @@
)
for _, ref := range r.References {
switch ref.Type {
- case ReferenceTypeAdvisory:
+ case osv.ReferenceTypeAdvisory:
addIssue(fmt.Sprintf("%q: advisory reference should not be set for first-party issues", ref.URL))
- case ReferenceTypeFix:
+ case osv.ReferenceTypeFix:
hasFixLink = true
if !prRegex.MatchString(ref.URL) && !commitRegex.MatchString(ref.URL) {
addIssue(fmt.Sprintf("%q: fix reference should match %q or %q", ref.URL, prRegex, commitRegex))
}
- case ReferenceTypeReport:
+ case osv.ReferenceTypeReport:
hasReportLink = true
if !issueRegex.MatchString(ref.URL) {
addIssue(fmt.Sprintf("%q: report reference should match %q", ref.URL, issueRegex))
}
- case ReferenceTypeWeb:
+ case osv.ReferenceTypeWeb:
if !announceRegex.MatchString(ref.URL) {
addIssue(fmt.Sprintf("%q: web references should only contain announcement links matching %q", ref.URL, announceRegex))
} else {
@@ -273,7 +274,7 @@
func (r *Report) lintLinks(addIssue func(string)) {
advisoryCount := 0
for _, ref := range r.References {
- if !slices.Contains(ReferenceTypes, ref.Type) {
+ if !slices.Contains(osv.ReferenceTypes, ref.Type) {
addIssue(fmt.Sprintf("%q is not a valid reference type", ref.Type))
}
l := ref.URL
@@ -283,10 +284,10 @@
if fixed := fixURL(l); fixed != l {
addIssue(fmt.Sprintf("unfixed url: %q should be %q", l, fixURL(l)))
}
- if ref.Type == ReferenceTypeAdvisory {
+ if ref.Type == osv.ReferenceTypeAdvisory {
advisoryCount++
}
- if ref.Type != ReferenceTypeAdvisory {
+ if ref.Type != osv.ReferenceTypeAdvisory {
// An ADVISORY reference to a CVE/GHSA indicates that it
// is the canonical source of information on this vuln.
//
diff --git a/internal/report/lint_test.go b/internal/report/lint_test.go
index dc110e6..1f7252f 100644
--- a/internal/report/lint_test.go
+++ b/internal/report/lint_test.go
@@ -9,6 +9,8 @@
"flag"
"strings"
"testing"
+
+ "golang.org/x/vulndb/internal/osv"
)
var proxy = flag.Bool("proxy", false, "test helper functions that call the proxy")
@@ -17,9 +19,9 @@
var (
validStdLibReferences = []*Reference{
- {Type: ReferenceTypeFix, URL: "https://go.dev/cl/12345"},
- {Type: ReferenceTypeWeb, URL: "https://groups.google.com/g/golang-announce/c/12345"},
- {Type: ReferenceTypeReport, URL: "https://go.dev/issue/12345"},
+ {Type: osv.ReferenceTypeFix, URL: "https://go.dev/cl/12345"},
+ {Type: osv.ReferenceTypeWeb, URL: "https://groups.google.com/g/golang-announce/c/12345"},
+ {Type: osv.ReferenceTypeReport, URL: "https://go.dev/issue/12345"},
}
)
@@ -403,10 +405,10 @@
}},
Description: "description",
References: []*Reference{
- {Type: ReferenceTypeFix, URL: "https://github.com/golang/go/commit/12345"},
- {Type: ReferenceTypeReport, URL: "https://github.com/golang/go/issues/12345"},
- {Type: ReferenceTypeWeb, URL: "https://golang.org/xxx"},
- {Type: ReferenceTypeWeb, URL: "https://groups.google.com/forum/#!/golang-announce/12345/1/"},
+ {Type: osv.ReferenceTypeFix, URL: "https://github.com/golang/go/commit/12345"},
+ {Type: osv.ReferenceTypeReport, URL: "https://github.com/golang/go/issues/12345"},
+ {Type: osv.ReferenceTypeWeb, URL: "https://golang.org/xxx"},
+ {Type: osv.ReferenceTypeWeb, URL: "https://groups.google.com/forum/#!/golang-announce/12345/1/"},
},
},
want: []string{
@@ -427,10 +429,10 @@
}},
Description: "description",
References: []*Reference{
- {Type: ReferenceTypeFix, URL: "https://go-review.googlesource.com/c/go/+/12345"},
- {Type: ReferenceTypeFix, URL: "https://github.com/golang/go/commit/12345"},
- {Type: ReferenceTypeReport, URL: "https://github.com/golang/go/issues/12345"},
- {Type: ReferenceTypeWeb, URL: "https://go.dev/"},
+ {Type: osv.ReferenceTypeFix, URL: "https://go-review.googlesource.com/c/go/+/12345"},
+ {Type: osv.ReferenceTypeFix, URL: "https://github.com/golang/go/commit/12345"},
+ {Type: osv.ReferenceTypeReport, URL: "https://github.com/golang/go/issues/12345"},
+ {Type: osv.ReferenceTypeWeb, URL: "https://go.dev/"},
// no announce link
},
},
@@ -458,7 +460,7 @@
Description: "description",
References: []*Reference{
{
- Type: ReferenceTypeFix,
+ Type: osv.ReferenceTypeFix,
URL: "go.dev/cl/12345", // needs "https://" prefix
},
},
diff --git a/internal/report/osv.go b/internal/report/osv.go
index e7e8c18..39a041a 100644
--- a/internal/report/osv.go
+++ b/internal/report/osv.go
@@ -20,14 +20,6 @@
)
var (
- // GoStdModulePath is the internal Go module path string used
- // when listing vulnerabilities in standard library.
- GoStdModulePath = "stdlib"
-
- // GoCmdModulePath is the internal Go module path string used
- // when listing vulnerabilities in the go command.
- GoCmdModulePath = "toolchain"
-
// osvDir is the name of the directory in the vulndb repo that
// contains reports.
OSVDir = "data/osv"
@@ -63,7 +55,7 @@
}
for _, ref := range r.References {
entry.References = append(entry.References, osv.Reference{
- Type: string(ref.Type),
+ Type: ref.Type,
URL: ref.URL,
})
}
@@ -99,13 +91,13 @@
func ModulesForEntry(entry osv.Entry) []string {
mods := map[string]bool{}
for _, a := range entry.Affected {
- mods[a.Package.Name] = true
+ mods[a.Module.Path] = true
}
return maps.Keys(mods)
}
-func AffectedRanges(versions []VersionRange) osv.Affects {
- a := osv.AffectsRange{Type: osv.TypeSemver}
+func AffectedRanges(versions []VersionRange) []osv.Range {
+ a := osv.Range{Type: osv.RangeTypeSemver}
if len(versions) == 0 || versions[0].Introduced == "" {
a.Events = append(a.Events, osv.RangeEvent{Introduced: "0"})
}
@@ -117,7 +109,7 @@
a.Events = append(a.Events, osv.RangeEvent{Fixed: v.Fixed.Canonical()})
}
}
- return osv.Affects{a}
+ return []osv.Range{a}
}
// trimWhitespace removes unnecessary whitespace from a string, but preserves
@@ -136,12 +128,12 @@
return s
}
-func generateImports(m *Module) (imps []osv.EcosystemSpecificImport) {
+func generateImports(m *Module) (imps []osv.Package) {
for _, p := range m.Packages {
syms := append([]string{}, p.Symbols...)
syms = append(syms, p.DerivedSymbols...)
sort.Strings(syms)
- imps = append(imps, osv.EcosystemSpecificImport{
+ imps = append(imps, osv.Package{
Path: p.Package,
GOOS: p.GOOS,
GOARCH: p.GOARCH,
@@ -155,19 +147,19 @@
name := m.Module
switch name {
case stdlib.ModulePath:
- name = GoStdModulePath
+ name = osv.GoStdModulePath
case stdlib.ToolchainModulePath:
- name = GoCmdModulePath
+ name = osv.GoCmdModulePath
}
return osv.Affected{
- Package: osv.Package{
- Name: name,
+ Module: osv.Module{
+ Path: name,
Ecosystem: osv.GoEcosystem,
},
Ranges: AffectedRanges(m.Versions),
DatabaseSpecific: osv.DatabaseSpecific{URL: url},
- EcosystemSpecific: osv.EcosystemSpecific{
- Imports: generateImports(m),
+ EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: generateImports(m),
},
}
}
diff --git a/internal/report/osv_test.go b/internal/report/osv_test.go
index f2c594a..dc17ec0 100644
--- a/internal/report/osv_test.go
+++ b/internal/report/osv_test.go
@@ -67,10 +67,10 @@
GHSAs: []string{"GHSA-abcd-efgh"},
Credit: "gopherbot",
References: []*Reference{
- {Type: ReferenceTypeAdvisory, URL: "advisory"},
- {Type: ReferenceTypeReport, URL: "issue"},
- {Type: ReferenceTypeFix, URL: "fix"},
- {Type: ReferenceTypeWeb, URL: "web"},
+ {Type: osv.ReferenceTypeAdvisory, URL: "advisory"},
+ {Type: osv.ReferenceTypeReport, URL: "issue"},
+ {Type: osv.ReferenceTypeFix, URL: "fix"},
+ {Type: osv.ReferenceTypeWeb, URL: "web"},
},
}
@@ -87,13 +87,13 @@
Aliases: []string{"CVE-0000-0000", "GHSA-abcd-efgh"},
Affected: []osv.Affected{
{
- Package: osv.Package{
- Name: "example.com/vulnerable/v2",
+ Module: osv.Module{
+ Path: "example.com/vulnerable/v2",
Ecosystem: "Go",
},
- Ranges: []osv.AffectsRange{
+ Ranges: []osv.Range{
{
- Type: osv.TypeSemver,
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Introduced: "0",
@@ -114,8 +114,8 @@
},
},
DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-1991-0001"},
- EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{
+ EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{
{
Path: "example.com/vulnerable/v2",
GOOS: []string{"windows"},
@@ -126,13 +126,13 @@
},
},
{
- Package: osv.Package{
- Name: "vanity.host/vulnerable",
+ Module: osv.Module{
+ Path: "vanity.host/vulnerable",
Ecosystem: "Go",
},
- Ranges: []osv.AffectsRange{
+ Ranges: []osv.Range{
{
- Type: osv.TypeSemver,
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Introduced: "0",
@@ -153,8 +153,8 @@
},
},
DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-1991-0001"},
- EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{
+ EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{
{
Path: "vanity.host/vulnerable/package",
GOOS: []string{"windows"},
@@ -165,13 +165,13 @@
},
},
{
- Package: osv.Package{
- Name: "example.com/also-vulnerable",
+ Module: osv.Module{
+ Path: "example.com/also-vulnerable",
Ecosystem: "Go",
},
- Ranges: []osv.AffectsRange{
+ Ranges: []osv.Range{
{
- Type: osv.TypeSemver,
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Introduced: "0",
@@ -183,8 +183,8 @@
},
},
DatabaseSpecific: osv.DatabaseSpecific{URL: "https://pkg.go.dev/vuln/GO-1991-0001"},
- EcosystemSpecific: osv.EcosystemSpecific{
- Imports: []osv.EcosystemSpecificImport{
+ EcosystemSpecific: &osv.EcosystemSpecific{
+ Packages: []osv.Package{
{
Path: "example.com/also-vulnerable/package",
GOOS: []string{"windows"},
@@ -222,9 +222,9 @@
Fixed: "1.17.0",
},
}
- expected := osv.Affects{
+ expected := []osv.Range{
{
- Type: osv.TypeSemver,
+ Type: osv.RangeTypeSemver,
Events: []osv.RangeEvent{
{
Introduced: "1.16.0",
diff --git a/internal/report/references.go b/internal/report/references.go
index fdd4566..c5e1b43 100644
--- a/internal/report/references.go
+++ b/internal/report/references.go
@@ -4,7 +4,11 @@
package report
-import "strings"
+import (
+ "strings"
+
+ "golang.org/x/vulndb/internal/osv"
+)
func isFix(url string) bool {
return strings.Contains(url, "go-review.googlesource.com") ||
@@ -23,14 +27,14 @@
// referenceFromUrl creates a new Reference from a url
// with Type inferred from the contents of the url.
func referenceFromUrl(url string) *Reference {
- typ := ReferenceTypeWeb
+ typ := osv.ReferenceTypeWeb
switch {
case isFix(url):
- typ = ReferenceTypeFix
+ typ = osv.ReferenceTypeFix
case isIssue(url):
- typ = ReferenceTypeReport
+ typ = osv.ReferenceTypeReport
case isAdvisory(url):
- typ = ReferenceTypeAdvisory
+ typ = osv.ReferenceTypeAdvisory
}
return &Reference{
Type: typ,
diff --git a/internal/report/report.go b/internal/report/report.go
index 746212d..b6c29a6 100644
--- a/internal/report/report.go
+++ b/internal/report/report.go
@@ -18,6 +18,7 @@
"golang.org/x/mod/semver"
"golang.org/x/vulndb/internal/derrors"
+ "golang.org/x/vulndb/internal/osv"
"gopkg.in/yaml.v3"
)
@@ -119,36 +120,12 @@
"DEPENDENT_VULNERABILITY",
}
-// Reference type is a reference (link) type.
-type ReferenceType string
-
-const (
- ReferenceTypeAdvisory = ReferenceType("ADVISORY")
- ReferenceTypeArticle = ReferenceType("ARTICLE")
- ReferenceTypeReport = ReferenceType("REPORT")
- ReferenceTypeFix = ReferenceType("FIX")
- ReferenceTypePackage = ReferenceType("PACKAGE")
- ReferenceTypeEvidence = ReferenceType("EVIDENCE")
- ReferenceTypeWeb = ReferenceType("WEB")
-)
-
-// ReferenceTypes is the set of reference types defined in OSV.
-var ReferenceTypes = []ReferenceType{
- ReferenceTypeAdvisory,
- ReferenceTypeArticle,
- ReferenceTypeReport,
- ReferenceTypeFix,
- ReferenceTypePackage,
- ReferenceTypeEvidence,
- ReferenceTypeWeb,
-}
-
// A Reference is a link to some external resource.
//
// For ease of typing, References are represented in the YAML as a
// single-element mapping of type to URL.
type Reference struct {
- Type ReferenceType
+ Type osv.ReferenceType
URL string
}
@@ -164,7 +141,7 @@
fmt.Sprintf("line %d: report.Reference must contain a mapping with one value", n.Line),
}}
}
- r.Type = ReferenceType(strings.ToUpper(n.Content[0].Value))
+ r.Type = osv.ReferenceType(strings.ToUpper(n.Content[0].Value))
r.URL = n.Content[1].Value
return nil
}
diff --git a/internal/semver/affects.go b/internal/semver/affects.go
index 0f236a5..495044c 100644
--- a/internal/semver/affects.go
+++ b/internal/semver/affects.go
@@ -11,14 +11,14 @@
"golang.org/x/vulndb/internal/osv"
)
-func AffectsSemver(a osv.Affects, v string) bool {
- if len(a) == 0 {
+func AffectsSemver(ranges []osv.Range, v string) bool {
+ if len(ranges) == 0 {
// No ranges implies all versions are affected
return true
}
var semverRangePresent bool
- for _, r := range a {
- if r.Type != osv.TypeSemver {
+ for _, r := range ranges {
+ if r.Type != osv.RangeTypeSemver {
continue
}
semverRangePresent = true
@@ -43,8 +43,8 @@
// - beginning of time is encoded with .Introduced="0"
// - no-fix is not an event, as opposed to being an
// event where Introduced="" and Fixed=""
-func containsSemver(ar osv.AffectsRange, v string) bool {
- if ar.Type != osv.TypeSemver {
+func containsSemver(ar osv.Range, v string) bool {
+ if ar.Type != osv.RangeTypeSemver {
return false
}
if len(ar.Events) == 0 {
diff --git a/internal/semver/affects_test.go b/internal/semver/affects_test.go
index a99add6..f7694f9 100644
--- a/internal/semver/affects_test.go
+++ b/internal/semver/affects_test.go
@@ -12,116 +12,116 @@
func TestAffectsSemver(t *testing.T) {
cases := []struct {
- affects osv.Affects
+ affects []osv.Range
version string
want bool
}{
{
- // empty Affects indicates everything is affected
- affects: osv.Affects{},
+ // empty ranges indicates everything is affected
+ affects: []osv.Range{},
version: "v0.0.0",
want: true,
},
{
- // Affects containing an empty SEMVER range also indicates
+ // ranges containing an empty SEMVER range also indicates
// everything is affected
- affects: []osv.AffectsRange{{Type: osv.TypeSemver}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver}},
version: "v0.0.0",
want: true,
},
{
- // Affects containing a SEMVER range with only an "introduced":"0"
+ // ranges containing a SEMVER range with only an "introduced":"0"
// also indicates everything is affected
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}}}},
version: "v0.0.0",
want: true,
},
{
// v1.0.0 < v2.0.0
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "2.0.0"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "2.0.0"}}}},
version: "v1.0.0",
want: true,
},
{
// v0.0.1 <= v1.0.0
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.1"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.1"}}}},
version: "v1.0.0",
want: true,
},
{
// v1.0.0 <= v1.0.0
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}}}},
version: "v1.0.0",
want: true,
},
{
// v1.0.0 <= v1.0.0 < v2.0.0
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}},
version: "v1.0.0",
want: true,
},
{
// v0.0.1 <= v1.0.0 < v2.0.0
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.1"}, {Fixed: "2.0.0"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0.0.1"}, {Fixed: "2.0.0"}}}},
version: "v1.0.0",
want: true,
},
{
// v2.0.0 < v3.0.0
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}}}},
version: "v3.0.0",
want: false,
},
{
// Multiple ranges
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}, {Introduced: "3.0.0"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.0.0"}, {Fixed: "2.0.0"}, {Introduced: "3.0.0"}}}},
version: "v3.0.0",
want: true,
},
{
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "1.18.6"}, {Introduced: "1.19.0"}, {Fixed: "1.19.1"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "1.18.6"}, {Introduced: "1.19.0"}, {Fixed: "1.19.1"}}}},
version: "v1.18.6",
want: false,
},
{
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Introduced: "1.19.0"}, {Fixed: "1.19.1"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Introduced: "1.19.0"}, {Fixed: "1.19.1"}}}},
version: "v1.18.6",
want: true,
},
{
// Multiple non-sorted ranges.
- affects: []osv.AffectsRange{{Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "1.19.0"}, {Fixed: "1.19.1"}, {Introduced: "0"}, {Fixed: "1.18.6"}}}},
+ affects: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "1.19.0"}, {Fixed: "1.19.1"}, {Introduced: "0"}, {Fixed: "1.18.6"}}}},
version: "v1.18.1",
want: true,
},
{
// Wrong type range
- affects: []osv.AffectsRange{{Type: osv.TypeUnspecified, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}}},
+ affects: []osv.Range{{Type: osv.RangeType("unspecified"), Events: []osv.RangeEvent{{Introduced: "3.0.0"}}}},
version: "v3.0.0",
want: true,
},
{
// Semver ranges don't match
- affects: []osv.AffectsRange{
- {Type: osv.TypeUnspecified, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
- {Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "4.0.0"}}},
+ affects: []osv.Range{
+ {Type: osv.RangeType("unspecified"), Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
+ {Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "4.0.0"}}},
},
version: "v3.0.0",
want: false,
},
{
// Semver ranges do match
- affects: []osv.AffectsRange{
- {Type: osv.TypeUnspecified, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
- {Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
+ affects: []osv.Range{
+ {Type: osv.RangeType("unspecified"), Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
+ {Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
},
version: "v3.0.0",
want: true,
},
{
// Semver ranges match (go prefix)
- affects: []osv.AffectsRange{
- {Type: osv.TypeSemver, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
+ affects: []osv.Range{
+ {Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "3.0.0"}}},
},
version: "go3.0.1",
want: true,
To view, visit change 480276. To unsubscribe, or for help writing mail filters, visit settings.
Reply all
Reply to author
Forward
0 new messages