Handles version 0 with osv. Perform case insensitive search

Signed-off-by: Prabhu Subramanian <[email protected]>
AppThreat · Jan 24, 2024 · bd03ca7 · bd03ca7
1 parent b53096f
commit bd03ca7
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 5 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "5.5.8"
+version = "5.5.9"
 description = "AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "[email protected]"},

diff --git a/test/test_utils.py b/test/test_utils.py
@@ -500,6 +500,8 @@ def test_debian_build_compare3():
     assert res
     res = utils.version_compare("247.3-7", "*", "*", None, "99.99.9")
     assert res
+    res = utils.version_compare("4.3.0", "2.0.20126.16343", "4.3.3", None, None)
+    assert res
 
 
 def test_redhat_build_compare():

diff --git a/vdb/lib/db.py b/vdb/lib/db.py
@@ -155,7 +155,7 @@ def _key_func(data, match_list):
         if len(name_ver) == 3:
             # Is name_ver[0] pos?
             if "_" in name_ver[0]:
-                if name_ver[1] == package and version_compare(
+                if name_ver[1].lower() == package.lower() and version_compare(
                     name_ver[2],
                     min_affected_version_including,
                     max_affected_version_including,
@@ -167,7 +167,7 @@ def _key_func(data, match_list):
                 # Check if we have a hit
                 if (
                     name_ver[0] == vendor
-                    and name_ver[1] == package
+                    and name_ver[1].lower() == package.lower()
                     and version_compare(
                         name_ver[2],
                         min_affected_version_including,
@@ -182,7 +182,7 @@ def _key_func(data, match_list):
             # Check if we have a hit
             if (
                 name_ver[1] == vendor
-                and name_ver[2] == package
+                and name_ver[2].lower() == package.lower()
                 and version_compare(
                     name_ver[3],
                     min_affected_version_including,

diff --git a/vdb/lib/osv.py b/vdb/lib/osv.py
@@ -245,6 +245,8 @@ def to_vuln(self, cve_data):
             for r in ranges:
                 events = r.get("events")
                 for ev in events:
+                    if ev.get("introduced", "") in (0, "0", "0.0.0"):
+                        break
                     if ev.get("fixed") or ev.get("last_affected"):
                         needs_version_backup = False
                         break
@@ -308,7 +310,7 @@ def to_vuln(self, cve_data):
                         version_end_including = rversions_list[-1]
                 for ev in events:
                     # Reset all versions for introduced event
-                    if ev.get("introduced"):
+                    if ev.get("introduced") is not None:
                         version_end_including = ""
                         version_start_excluding = ""
                         version_end_excluding = ""