From 0d937d9c75ad6efc0aa2bb61042774b161738f42 Mon Sep 17 00:00:00 2001
From: Holly Gong <gongh@google.com>
Date: Tue, 10 Dec 2024 14:32:40 +1100
Subject: [PATCH] feat(API): switch malicious package matching logic

---
 gcp/api/integration_tests.py | 46 ++++++++++++++++++++++++++++++++++++
 osv/ecosystems/nuget.py      |  4 ++++
 osv/ecosystems/pypi.py       |  4 ++++
 osv/ecosystems/rubygems.py   |  4 ++++
 4 files changed, 58 insertions(+)

diff --git a/gcp/api/integration_tests.py b/gcp/api/integration_tests.py
index d9b71f9a0bc..5ae9cf3009f 100644
--- a/gcp/api/integration_tests.py
+++ b/gcp/api/integration_tests.py
@@ -378,6 +378,52 @@ def test_query_comparing_version(self):
         timeout=_TIMEOUT)
     self.assertEqual(0, len(response.json()))
 
+  def test_malicious_package_matching(self):
+    """"Test malicious package query"""
+    # Test matching by affected ranges
+    mal_2022_7426 = self._get('MAL-2022-7426')
+
+    expected_vulns = [
+        mal_2022_7426,
+    ]
+
+    package = 'pymocks'
+    ecosystem = 'PyPI'
+
+    response = requests.post(
+        _api() + _BASE_QUERY,
+        data=json.dumps({
+            'version': '0.0.1',
+            'package': {
+                'name': package,
+                'ecosystem': ecosystem,
+            }
+        }),
+        timeout=_TIMEOUT)
+    self.assert_results_equal({'vulns': expected_vulns}, response.json())
+
+    # Test matching by affected versions
+    mal_2024_4618 = self._get('MAL-2024-4618')
+
+    expected_vulns = [
+        mal_2024_4618,
+    ]
+
+    package = 'psbuiId'
+    ecosystem = 'NuGet'
+
+    response = requests.post(
+        _api() + _BASE_QUERY,
+        data=json.dumps({
+            'version': '1.1.1-beta',
+            'package': {
+                'name': package,
+                'ecosystem': ecosystem,
+            }
+        }),
+        timeout=_TIMEOUT)
+    self.assert_results_equal({'vulns': expected_vulns}, response.json())
+
   def test_query_invalid_ecosystem(self):
     """Test a query with an invalid ecosystem fails validation."""
     response = requests.post(
diff --git a/osv/ecosystems/nuget.py b/osv/ecosystems/nuget.py
index d95b79f46ec..d8ca834267b 100644
--- a/osv/ecosystems/nuget.py
+++ b/osv/ecosystems/nuget.py
@@ -125,3 +125,7 @@ def enumerate_versions(self,
     self.sort_versions(versions)
     return self._get_affected_versions(versions, introduced, fixed,
                                        last_affected, limits)
+
+  @property
+  def supports_comparing(self):
+    return True
diff --git a/osv/ecosystems/pypi.py b/osv/ecosystems/pypi.py
index f1283b0bd90..6164aee3fd6 100644
--- a/osv/ecosystems/pypi.py
+++ b/osv/ecosystems/pypi.py
@@ -52,3 +52,7 @@ def enumerate_versions(self,
 
     return self._get_affected_versions(versions, introduced, fixed,
                                        last_affected, limits)
+
+  @property
+  def supports_comparing(self):
+    return True
diff --git a/osv/ecosystems/rubygems.py b/osv/ecosystems/rubygems.py
index 38e528917b4..23ef1fc4cb7 100644
--- a/osv/ecosystems/rubygems.py
+++ b/osv/ecosystems/rubygems.py
@@ -57,3 +57,7 @@ def enumerate_versions(self,
     self.sort_versions(versions)
     return self._get_affected_versions(versions, introduced, fixed,
                                        last_affected, limits)
+
+  @property
+  def supports_comparing(self):
+    return True