feat: support OSV advisories with just versions array in affected (#58

)

detector/database/osv.go

@@ -100,9 +100,22 @@ type Reference struct {
 	URL  string `json:"url"`
 }
 
+type Versions []string
+
+func (vs Versions) includes(v string) bool {
+	for _, v2 := range vs {
+		if v == v2 {
+			return true
+		}
+	}
+
+	return false
+}
+
 type Affected struct {
-	Package Package `json:"package"`
-	Ranges  Affects `json:"ranges,omitempty"`
+	Package  Package  `json:"package"`
+	Versions Versions `json:"versions"`
+	Ranges   Affects  `json:"ranges,omitempty"`
 }
 
 // OSV represents an OSV style JSON vulnerability database entry
@@ -146,16 +159,20 @@ func (osv *OSV) IsAffected(pkg detector.PackageDetails) bool {
 	for _, affected := range osv.Affected {
 		if affected.Package.Ecosystem == pkg.Ecosystem &&
 			affected.Package.NormalizedName() == pkg.Name {
-			if len(affected.Ranges) == 0 {
+			if len(affected.Ranges) == 0 && len(affected.Versions) == 0 {
 				_, _ = fmt.Fprintf(
 					os.Stderr,
-					"%s does not have any ranges - this is probably a mistake!\n",
+					"%s does not have any ranges or versions - this is probably a mistake!\n",
 					osv.ID,
 				)
 
 				continue
 			}
 
+			if affected.Versions.includes(pkg.Version) {
+				return true
+			}
+
 			if affected.Ranges.affectsVersion(pkg.Version) {
 				return true
 			}

detector/database/osv_test.go

@@ -472,3 +472,19 @@ func TestOSV_IsAffected_AffectsWithSemver_MultipleAffected(t *testing.T) {
 		expectIsAffected(t, osv, v, false)
 	}
 }
+
+func TestOSV_IsAffected_OnlyVersions(t *testing.T) {
+	t.Parallel()
+
+	osv := buildOSVWithAffected(
+		database.Affected{
+			Package:  database.Package{Ecosystem: parsers.NpmEcosystem, Name: "my-package"},
+			Versions: []string{"1.0.0"},
+		},
+	)
+
+	expectIsAffected(t, osv, "0.0.0", false)
+	expectIsAffected(t, osv, "1.0.0", true)
+	expectIsAffected(t, osv, "1.0.0-beta1", false)
+	expectIsAffected(t, osv, "1.1.0", false)
+}