@@ -3,15 +3,11 @@ package cvelist2osv
33import (
44 "cmp"
55 "errors"
6- "log/slog"
76 "strconv"
87 "strings"
98
109 "github.com/google/osv/vulnfeeds/conversion"
11- "github.com/google/osv/vulnfeeds/git"
1210 "github.com/google/osv/vulnfeeds/models"
13- "github.com/google/osv/vulnfeeds/utility"
14- "github.com/google/osv/vulnfeeds/utility/logger"
1511 "github.com/google/osv/vulnfeeds/vulns"
1612 "github.com/ossf/osv-schema/bindings/go/osvschema"
1713)
@@ -55,117 +51,6 @@ func toVersionRangeType(s string) VersionRangeType {
5551 }
5652}
5753
58- // resolveVersionToCommit is a helper to convert a version string to a commit hash.
59- // It logs the outcome of the conversion attempt and returns an empty string on failure.
60- func resolveVersionToCommit (cveID models.CVEID , version , versionType , repo string , normalizedTags map [string ]git.NormalizedTag ) string {
61- if version == "" {
62- return ""
63- }
64- logger .Info ("Attempting to resolve version to commit" , slog .String ("cve" , string (cveID )), slog .String ("version" , version ), slog .String ("type" , versionType ), slog .String ("repo" , repo ))
65- commit , err := git .VersionToCommit (version , normalizedTags )
66- if err != nil {
67- logger .Warn ("Failed to get Git commit for version" , slog .String ("cve" , string (cveID )), slog .String ("version" , version ), slog .String ("type" , versionType ), slog .String ("repo" , repo ), slog .Any ("err" , err ))
68- return ""
69- }
70- logger .Info ("Successfully derived commit for version" , slog .String ("cve" , string (cveID )), slog .String ("commit" , commit ), slog .String ("version" , version ), slog .String ("type" , versionType ))
71-
72- return commit
73- }
74-
75- // Examines repos and tries to convert versions to commits by treating them as Git tags.
76- // Takes a CVE ID string (for logging), VersionInfo with AffectedVersions and
77- // typically no AffectedCommits and attempts to add AffectedCommits (including Fixed commits) where there aren't any.
78- // Refuses to add the same commit to AffectedCommits more than once.
79- func gitVersionsToCommits (cveID models.CVEID , versionRanges []* osvschema.Range , repos []string , metrics * models.ConversionMetrics , cache * git.RepoTagsCache ) (* osvschema.Affected , error ) {
80- var newAff osvschema.Affected
81- var newVersionRanges []* osvschema.Range
82- unresolvedRanges := versionRanges
83-
84- for _ , repo := range repos {
85- if len (unresolvedRanges ) == 0 {
86- break // All ranges have been resolved.
87- }
88-
89- normalizedTags , err := git .NormalizeRepoTags (repo , cache )
90- if err != nil {
91- metrics .AddNote ("Failed to normalize tags - %s" , repo )
92- continue
93- }
94-
95- var stillUnresolvedRanges []* osvschema.Range
96- for _ , vr := range unresolvedRanges {
97- var introduced , fixed , lastAffected string
98- for _ , e := range vr .GetEvents () {
99- if e .GetIntroduced () != "" {
100- introduced = e .GetIntroduced ()
101- }
102- if e .GetFixed () != "" {
103- fixed = e .GetFixed ()
104- }
105- if e .GetLastAffected () != "" {
106- lastAffected = e .GetLastAffected ()
107- }
108- }
109-
110- var introducedCommit string
111- if introduced == "0" {
112- introducedCommit = "0"
113- } else {
114- introducedCommit = resolveVersionToCommit (cveID , introduced , "introduced" , repo , normalizedTags )
115- }
116- fixedCommit := resolveVersionToCommit (cveID , fixed , "fixed" , repo , normalizedTags )
117- lastAffectedCommit := resolveVersionToCommit (cveID , lastAffected , "last_affected" , repo , normalizedTags )
118-
119- if introducedCommit != "" && (fixedCommit != "" || lastAffectedCommit != "" ) {
120- var newVR * osvschema.Range
121-
122- if fixedCommit != "" {
123- newVR = conversion .BuildVersionRange (introducedCommit , "" , fixedCommit )
124- } else {
125- newVR = conversion .BuildVersionRange (introducedCommit , lastAffectedCommit , "" )
126- }
127-
128- newVR .Repo = repo
129- newVR .Type = osvschema .Range_GIT
130- if len (vr .GetEvents ()) > 0 {
131- databaseSpecific , err := utility .NewStructpbFromMap (map [string ]any {"versions" : vr .GetEvents ()})
132- if err != nil {
133- logger .Warn ("failed to make database specific: %v" , err )
134- } else {
135- newVR .DatabaseSpecific = databaseSpecific
136- }
137- }
138-
139- newVersionRanges = append (newVersionRanges , newVR )
140- } else {
141- stillUnresolvedRanges = append (stillUnresolvedRanges , vr )
142- }
143- }
144- unresolvedRanges = stillUnresolvedRanges
145- }
146-
147- var err error
148- if len (unresolvedRanges ) > 0 {
149- databaseSpecific , err := utility .NewStructpbFromMap (map [string ]any {"unresolved_ranges" : unresolvedRanges })
150- if err != nil {
151- logger .Warn ("failed to make database specific: %v" , err )
152- } else {
153- newAff .DatabaseSpecific = databaseSpecific
154- }
155-
156- metrics .UnresolvedRangesCount += len (unresolvedRanges )
157- }
158-
159- if len (newVersionRanges ) > 0 {
160- newAff .Ranges = newVersionRanges
161- metrics .ResolvedRangesCount += len (newVersionRanges )
162- } else if len (unresolvedRanges ) > 0 { // Only error if there were ranges to resolve but none were.
163- err = errors .New ("was not able to get git version ranges" )
164- }
165-
166- return & newAff , err
167- }
168-
16954// findCPEVersionRanges extracts version ranges and CPE strings from the CNA's
17055// CPE applicability statements in a CVE record.
17156func findCPEVersionRanges (cve models.CVE5 ) (versionRanges []* osvschema.Range , cpes []string , err error ) {
0 commit comments