Handle pysec data with ghsa (#101)

Signed-off-by: Prabhu Subramanian <[email protected]>
AppThreat · Feb 25, 2024 · 926d5a5 · 926d5a5
1 parent c33bb27
commit 926d5a5
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/test/test_source.py b/test/test_source.py
@@ -501,8 +501,7 @@ def test_osv_convert(
     assert cve_data
     assert len(cve_data) == 1
     cve_data = osvlatest.convert(test_osv_pypi2_json)
-    assert cve_data
-    assert len(cve_data) == 1
+    assert not cve_data
 
 
 def test_aqua_convert(

diff --git a/vdb/lib/osv.py b/vdb/lib/osv.py
@@ -114,6 +114,14 @@ def to_vuln(cve_data):
         references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC)
         if isinstance(references, bytes):
             references = references.decode("utf-8", "ignore")
+        # Quality of PYSEC data is quite low missing both severity and score
+        # Where a PYSEC feed also reference a github id, let's ignore it since G comes before P
+        #   so it would have gotten processed
+        # Fixes #99
+        if cve_id.startswith("PYSEC"):
+            for i in aliases:
+                if i.startswith("GHSA"):
+                    return ret_data
         # Try to locate the CVE id from the aliases section
         if not cve_id.startswith("CVE") and not cve_id.startswith("RUSTSEC"):
             for i in aliases: