diff --git a/test/data/osv_multi_events.json b/test/data/osv_multi_events.json index 604cb1b..f627f80 100644 --- a/test/data/osv_multi_events.json +++ b/test/data/osv_multi_events.json @@ -1,81 +1,21 @@ { - "schema_version": "1.4.0", "id": "GHSA-6v7w-535j-rq5m", - "modified": "2024-03-05T18:17:31Z", - "published": "2018-10-17T20:29:12Z", - "aliases": [ - "CVE-2015-3192" - ], "summary": "Pivotal Spring Framework DoS Attack with XML Input", "details": "Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "affected": [ - { - "package": { - "ecosystem": "Maven", - "name": "org.springframework:spring-web" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "3.2.14" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Maven", - "name": "org.springframework:spring-web" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "4.0.0" - }, - { - "fixed": "4.1.7" - } - ] - } - ] - }, - { - "package": { - "ecosystem": "Maven", - "name": "org.springframework:spring-web" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "5.0.0.RC2" - }, - { - "fixed": "5.0.0.RC3" - } - ] - } - ], - "versions": [ - "5.0.0.RC2" - ] - } + "aliases": [ + "CVE-2015-3192" ], + "modified": "2024-03-05T18:31:10.934674Z", + "published": "2018-10-17T20:29:12Z", + "database_specific": { + "nvd_published_at": "2016-07-12T19:59:00Z", + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2020-06-16T21:20:17Z" + }, "references": [ { "type": "ADVISORY", @@ -178,13 +118,182 @@ "url": "http://www.securitytracker.com/id/1036587" } ], - "database_specific": { - "cwe_ids": [ - "CWE-119" - ], - "severity": "MODERATE", - "github_reviewed": true, - "github_reviewed_at": "2020-06-16T21:20:17Z", - "nvd_published_at": "2016-07-12T19:59:00Z" - } + "affected": [ + { + "package": { + "name": "org.springframework:spring-web", + "ecosystem": "Maven", + "purl": "pkg:maven/org.springframework/spring-web" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.14" + } + ] + } + ], + "versions": [ + "1.0", + "1.0-rc1", + "1.0.1", + "1.1", + "1.1-rc1", + "1.1-rc2", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.2", + "1.2-rc1", + "1.2-rc2", + "1.2.1", + "1.2.2", + "1.2.3", + "1.2.4", + "1.2.5", + "1.2.6", + "1.2.7", + "1.2.8", + "1.2.9", + "2.0", + "2.0-m1", + "2.0-m2", + "2.0-m3", + "2.0-m4", + "2.0-m5", + "2.0-rc1", + "2.0-rc2", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.0.8", + "2.5", + "2.5.1", + "2.5.2", + "2.5.3", + "2.5.4", + "2.5.5", + "2.5.6", + "2.5.6.SEC01", + "2.5.6.SEC02", + "2.5.6.SEC03", + "3.0.0.RELEASE", + "3.0.1.RELEASE", + "3.0.2.RELEASE", + "3.0.3.RELEASE", + "3.0.4.RELEASE", + "3.0.5.RELEASE", + "3.0.6.RELEASE", + "3.0.7.RELEASE", + "3.1.0.RELEASE", + "3.1.1.RELEASE", + "3.1.2.RELEASE", + "3.1.3.RELEASE", + "3.1.4.RELEASE", + "3.2.0.RELEASE", + "3.2.1.RELEASE", + "3.2.10.RELEASE", + "3.2.11.RELEASE", + "3.2.12.RELEASE", + "3.2.13.RELEASE", + "3.2.2.RELEASE", + "3.2.3.RELEASE", + "3.2.4.RELEASE", + "3.2.5.RELEASE", + "3.2.6.RELEASE", + "3.2.7.RELEASE", + "3.2.8.RELEASE", + "3.2.9.RELEASE" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v7w-535j-rq5m/GHSA-6v7w-535j-rq5m.json" + } + }, + { + "package": { + "name": "org.springframework:spring-web", + "ecosystem": "Maven", + "purl": "pkg:maven/org.springframework/spring-web" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.1.7" + } + ] + } + ], + "versions": [ + "4.0.0.RELEASE", + "4.0.1.RELEASE", + "4.0.2.RELEASE", + "4.0.3.RELEASE", + "4.0.4.RELEASE", + "4.0.5.RELEASE", + "4.0.6.RELEASE", + "4.0.7.RELEASE", + "4.0.8.RELEASE", + "4.0.9.RELEASE", + "4.1.0.RELEASE", + "4.1.1.RELEASE", + "4.1.2.RELEASE", + "4.1.3.RELEASE", + "4.1.4.RELEASE", + "4.1.5.RELEASE", + "4.1.6.RELEASE" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v7w-535j-rq5m/GHSA-6v7w-535j-rq5m.json" + } + }, + { + "package": { + "name": "org.springframework:spring-web", + "ecosystem": "Maven", + "purl": "pkg:maven/org.springframework/spring-web" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0.RC2" + }, + { + "fixed": "5.0.0.RC3" + } + ] + } + ], + "versions": [ + "5.0.0.RC2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v7w-535j-rq5m/GHSA-6v7w-535j-rq5m.json" + } + } + ], + "schema_version": "1.6.0", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ] } \ No newline at end of file diff --git a/test/test_source.py b/test/test_source.py index b9c3f31..24dd7ed 100644 --- a/test/test_source.py +++ b/test/test_source.py @@ -504,7 +504,7 @@ def test_osv_convert( osvlatest = OSVSource() cve_data = osvlatest.convert(test_osv_mevents_json) assert cve_data - assert len(cve_data) == 3 + assert len(cve_data) == 4 cve_data = osvlatest.convert(test_osv_swift_json) assert cve_data assert len(cve_data) == 2 diff --git a/vdb/lib/db.py b/vdb/lib/db.py index e893c6c..7df64e5 100644 --- a/vdb/lib/db.py +++ b/vdb/lib/db.py @@ -23,14 +23,12 @@ def build_index(index_pos_list): store_end_pos = dp.get("store_end_pos") for d in dp.get("index_list"): cve_id = d.get("id") - min_version = d.get( - "mie", - d.get("mii"), - ) - max_version = d.get( - "mae", - d.get("mai"), - ) + min_version = d.get("mie") + if (not min_version or min_version == "*") and d.get("mii"): + min_version = d.get("mii") + max_version = d.get("mae") + if (not max_version or max_version == "*") and d.get("mai"): + max_version = d.get("mai") if not min_version: min_version = "0" if not max_version: