Trim the range used in index to improve search performance

Signed-off-by: Prabhu Subramanian <[email protected]>

test/data/osv_multi_events.json

@@ -1,81 +1,21 @@
 {
-  "schema_version": "1.4.0",
   "id": "GHSA-6v7w-535j-rq5m",
-  "modified": "2024-03-05T18:17:31Z",
-  "published": "2018-10-17T20:29:12Z",
-  "aliases": [
-    "CVE-2015-3192"
-  ],
   "summary": "Pivotal Spring Framework DoS Attack with XML Input",
   "details": "Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.",
-  "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
-    }
-  ],
-  "affected": [
-    {
-      "package": {
-        "ecosystem": "Maven",
-        "name": "org.springframework:spring-web"
-      },
-      "ranges": [
-        {
-          "type": "ECOSYSTEM",
-          "events": [
-            {
-              "introduced": "0"
-            },
-            {
-              "fixed": "3.2.14"
-            }
-          ]
-        }
-      ]
-    },
-    {
-      "package": {
-        "ecosystem": "Maven",
-        "name": "org.springframework:spring-web"
-      },
-      "ranges": [
-        {
-          "type": "ECOSYSTEM",
-          "events": [
-            {
-              "introduced": "4.0.0"
-            },
-            {
-              "fixed": "4.1.7"
-            }
-          ]
-        }
-      ]
-    },
-    {
-      "package": {
-        "ecosystem": "Maven",
-        "name": "org.springframework:spring-web"
-      },
-      "ranges": [
-        {
-          "type": "ECOSYSTEM",
-          "events": [
-            {
-              "introduced": "5.0.0.RC2"
-            },
-            {
-              "fixed": "5.0.0.RC3"
-            }
-          ]
-        }
-      ],
-      "versions": [
-        "5.0.0.RC2"
-      ]
-    }
+  "aliases": [
+    "CVE-2015-3192"
   ],
+  "modified": "2024-03-05T18:31:10.934674Z",
+  "published": "2018-10-17T20:29:12Z",
+  "database_specific": {
+    "nvd_published_at": "2016-07-12T19:59:00Z",
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2020-06-16T21:20:17Z"
+  },
   "references": [
     {
       "type": "ADVISORY",
@@ -178,13 +118,182 @@
       "url": "http://www.securitytracker.com/id/1036587"
     }
   ],
-  "database_specific": {
-    "cwe_ids": [
-      "CWE-119"
-    ],
-    "severity": "MODERATE",
-    "github_reviewed": true,
-    "github_reviewed_at": "2020-06-16T21:20:17Z",
-    "nvd_published_at": "2016-07-12T19:59:00Z"
-  }
+  "affected": [
+    {
+      "package": {
+        "name": "org.springframework:spring-web",
+        "ecosystem": "Maven",
+        "purl": "pkg:maven/org.springframework/spring-web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.2.14"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "1.0",
+        "1.0-rc1",
+        "1.0.1",
+        "1.1",
+        "1.1-rc1",
+        "1.1-rc2",
+        "1.1.1",
+        "1.1.2",
+        "1.1.3",
+        "1.1.4",
+        "1.1.5",
+        "1.2",
+        "1.2-rc1",
+        "1.2-rc2",
+        "1.2.1",
+        "1.2.2",
+        "1.2.3",
+        "1.2.4",
+        "1.2.5",
+        "1.2.6",
+        "1.2.7",
+        "1.2.8",
+        "1.2.9",
+        "2.0",
+        "2.0-m1",
+        "2.0-m2",
+        "2.0-m3",
+        "2.0-m4",
+        "2.0-m5",
+        "2.0-rc1",
+        "2.0-rc2",
+        "2.0.1",
+        "2.0.2",
+        "2.0.3",
+        "2.0.4",
+        "2.0.5",
+        "2.0.6",
+        "2.0.7",
+        "2.0.8",
+        "2.5",
+        "2.5.1",
+        "2.5.2",
+        "2.5.3",
+        "2.5.4",
+        "2.5.5",
+        "2.5.6",
+        "2.5.6.SEC01",
+        "2.5.6.SEC02",
+        "2.5.6.SEC03",
+        "3.0.0.RELEASE",
+        "3.0.1.RELEASE",
+        "3.0.2.RELEASE",
+        "3.0.3.RELEASE",
+        "3.0.4.RELEASE",
+        "3.0.5.RELEASE",
+        "3.0.6.RELEASE",
+        "3.0.7.RELEASE",
+        "3.1.0.RELEASE",
+        "3.1.1.RELEASE",
+        "3.1.2.RELEASE",
+        "3.1.3.RELEASE",
+        "3.1.4.RELEASE",
+        "3.2.0.RELEASE",
+        "3.2.1.RELEASE",
+        "3.2.10.RELEASE",
+        "3.2.11.RELEASE",
+        "3.2.12.RELEASE",
+        "3.2.13.RELEASE",
+        "3.2.2.RELEASE",
+        "3.2.3.RELEASE",
+        "3.2.4.RELEASE",
+        "3.2.5.RELEASE",
+        "3.2.6.RELEASE",
+        "3.2.7.RELEASE",
+        "3.2.8.RELEASE",
+        "3.2.9.RELEASE"
+      ],
+      "database_specific": {
+        "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v7w-535j-rq5m/GHSA-6v7w-535j-rq5m.json"
+      }
+    },
+    {
+      "package": {
+        "name": "org.springframework:spring-web",
+        "ecosystem": "Maven",
+        "purl": "pkg:maven/org.springframework/spring-web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.1.7"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "4.0.0.RELEASE",
+        "4.0.1.RELEASE",
+        "4.0.2.RELEASE",
+        "4.0.3.RELEASE",
+        "4.0.4.RELEASE",
+        "4.0.5.RELEASE",
+        "4.0.6.RELEASE",
+        "4.0.7.RELEASE",
+        "4.0.8.RELEASE",
+        "4.0.9.RELEASE",
+        "4.1.0.RELEASE",
+        "4.1.1.RELEASE",
+        "4.1.2.RELEASE",
+        "4.1.3.RELEASE",
+        "4.1.4.RELEASE",
+        "4.1.5.RELEASE",
+        "4.1.6.RELEASE"
+      ],
+      "database_specific": {
+        "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v7w-535j-rq5m/GHSA-6v7w-535j-rq5m.json"
+      }
+    },
+    {
+      "package": {
+        "name": "org.springframework:spring-web",
+        "ecosystem": "Maven",
+        "purl": "pkg:maven/org.springframework/spring-web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0.RC2"
+            },
+            {
+              "fixed": "5.0.0.RC3"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "5.0.0.RC2"
+      ],
+      "database_specific": {
+        "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v7w-535j-rq5m/GHSA-6v7w-535j-rq5m.json"
+      }
+    }
+  ],
+  "schema_version": "1.6.0",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ]
 }

test/test_source.py

@@ -504,7 +504,7 @@ def test_osv_convert(
     osvlatest = OSVSource()
     cve_data = osvlatest.convert(test_osv_mevents_json)
     assert cve_data
-    assert len(cve_data) == 3
+    assert len(cve_data) == 4
     cve_data = osvlatest.convert(test_osv_swift_json)
     assert cve_data
     assert len(cve_data) == 2

vdb/lib/db.py

@@ -23,14 +23,12 @@ def build_index(index_pos_list):
         store_end_pos = dp.get("store_end_pos")
         for d in dp.get("index_list"):
             cve_id = d.get("id")
-            min_version = d.get(
-                "mie",
-                d.get("mii"),
-            )
-            max_version = d.get(
-                "mae",
-                d.get("mai"),
-            )
+            min_version = d.get("mie")
+            if (not min_version or min_version == "*") and d.get("mii"):
+                min_version = d.get("mii")
+            max_version = d.get("mae")
+            if (not max_version or max_version == "*") and d.get("mai"):
+                max_version = d.get("mai")
             if not min_version:
                 min_version = "0"
             if not max_version: