Handle pysec data with ghsa (#100)

Signed-off-by: Prabhu Subramanian <[email protected]>

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "5.6.3"
+version = "5.6.4"
 description = "AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "[email protected]"},

test/test_source.py

@@ -458,8 +458,7 @@ def test_osv_convert(
     assert cve_data
     assert len(cve_data) == 1
     cve_data = osvlatest.convert(test_osv_pypi2_json)
-    assert cve_data
-    assert len(cve_data) == 1
+    assert not cve_data
 
 
 def test_aqua_convert(

vdb/cli.py

@@ -177,7 +177,7 @@ def main():
         # AquaSource also includes NVD
         if args.cache_os:
             sources.insert(0, AquaSource())
-        elif not args.only_aqua:
+        elif not args.only_aqua and not args.only_osv:
             sources.append(NvdSource())
         for s in sources:
             LOG.info("Refreshing %s", s.__class__.__name__)

vdb/lib/osv.py

@@ -121,6 +121,14 @@ def to_vuln(self, cve_data):
         references = json_lib.dumps(references)
         if isinstance(references, bytes):
             references = references.decode("utf-8", "ignore")
+        # Quality of PYSEC data is quite low missing both severity and score
+        # Where a PYSEC feed also reference a github id, let's ignore it since G comes before P
+        #   so it would have gotten processed
+        # Fixes #99
+        if cve_id.startswith("PYSEC"):
+            for i in aliases:
+                if i.startswith("GHSA"):
+                    return ret_data
         # Try to locate the CVE id from the aliases section
         if not cve_id.startswith("CVE") and not cve_id.startswith("RUSTSEC"):
             for i in aliases: