OSV data with a single version was getting missed. Affects malware ty…

…pes. (#140)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "6.0.3"
+version = "6.0.4"
 description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},

test/data/MAL-2024-1396.json

@@ -0,0 +1,46 @@
+{
+  "id": "MAL-2024-1396",
+  "summary": "Malicious code in numberpy (PyPI)",
+  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (e10120613afbbf32d487584c68eaf1ae7f4fc0674f1f119d86beae630a3b9070)\nThe OpenSSF Package Analysis project identified 'numberpy' @ 0.1.0 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n",
+  "modified": "2024-05-31T08:26:49Z",
+  "published": "2024-05-31T08:26:49Z",
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "modified_time": "2024-05-31T08:26:49Z",
+        "import_time": "2024-05-31T08:34:06.567219558Z",
+        "versions": [
+          "0.1.0"
+        ],
+        "source": "ossf-package-analysis",
+        "sha256": "e10120613afbbf32d487584c68eaf1ae7f4fc0674f1f119d86beae630a3b9070"
+      }
+    ]
+  },
+  "affected": [
+    {
+      "package": {
+        "name": "numberpy",
+        "ecosystem": "PyPI",
+        "purl": "pkg:pypi/numberpy"
+      },
+      "versions": [
+        "0.1.0"
+      ],
+      "database_specific": {
+        "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/numberpy/MAL-2024-1396.json"
+      }
+    }
+  ],
+  "schema_version": "1.6.0",
+  "credits": [
+    {
+      "name": "OpenSSF: Package Analysis",
+      "contact": [
+        "https://github.com/ossf/package-analysis",
+        "https://openssf.slack.com/channels/package_analysis"
+      ],
+      "type": "FINDER"
+    }
+  ]
+}

test/test_source.py

@@ -189,6 +189,15 @@ def test_osv_npm_star_json():
         return json.loads(fp.read())
 
 
+@pytest.fixture
+def test_osv_mal_json():
+    test_cve_data = os.path.join(
+        os.path.dirname(os.path.realpath(__file__)), "data", "MAL-2024-1396.json"
+    )
+    with open(test_cve_data, "r") as fp:
+        return json.loads(fp.read())
+
+
 @pytest.fixture
 def test_aqua_alsa_json():
     test_cve_data = os.path.join(
@@ -832,6 +841,12 @@ def test_osv_convert2(test_osv_npm_star_json):
     assert len(cve_data) == 3
 
 
+def test_osv_mal_convert(test_osv_mal_json):
+    osvlatest = OSVSource()
+    cve_data = osvlatest.convert(test_osv_mal_json)
+    assert len(cve_data) == 1
+
+
 def test_aqua_convert(
     test_aqua_alsa_json,
     test_aqua_alas_json,

vdb/lib/osv.py

@@ -271,7 +271,7 @@ def to_vuln(cve_data):
             # Problem 2: The versions_list may be unsorted and trying to sort based on semantic versions can fail
             # Solution: We do our best to sort the versions_list. If it fails, we assume the input is sorted and store the first and last entry as min and max.
             # The assumption seems to be working as of today, but could result in false positives or false negatives in the future.
-            needs_version_backup = False
+            needs_version_backup = len(ranges) == 0
             possible_fix_version = ""
             for r in ranges:
                 events = r.get("events")
@@ -280,7 +280,7 @@ def to_vuln(cve_data):
                         needs_version_backup = True
                     if ev.get("fixed"):
                         possible_fix_version = ev.get("fixed")
-            if needs_version_backup and len(versions_list) > 1:
+            if needs_version_backup and len(versions_list):
                 try:
                     min_ver = min(versions_list, key=Version.parse)
                     max_ver = max(versions_list, key=Version.parse)