Skip to content

Commit

Permalink
chore: only extract versions from packages in the generator ecosystem (
Browse files Browse the repository at this point in the history 
…#957)

Cherry-picked from G-Rath/osv-detector#241

---

Currently the generators assume that all packages in an OSV are for
their respective ecosystem which since they download ecosystem-specific
databases is _mostly_ true, but there are a few OSVs that are for
packages that exist across more than one ecosystem.

This has not been a problem up until now because either the versions in
such OSVs happen to be compatible with native ecosystem version parser
or we're skipping invalid versions for legacy reasons, but now
GHSA-5844-q3fc-56rh exists which has versions that are invalid in Ruby.
  • Loading branch information
@G-Rath
G-Rath committed May 6, 2024
1 parent cbc9678 commit 94dc496
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 0 deletions.
4 changes: 4 additions & 0 deletions scripts/generators/GenerateMavenVersions.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ public static Map<String, List<String>> fetchPackageVersions() throws IOExceptio
osvs.forEach(osv -> osv.getJSONArray("affected").forEach(aff -> {
JSONObject affected = (JSONObject) aff;

if(affected.getJSONObject("package").getString("ecosystem").equals("Maven")) {
return;
}

String pkgName = affected.getJSONObject("package").getString("name");

if(!affected.has("versions")) {
Expand Down
4 changes: 4 additions & 0 deletions scripts/generators/generate-cran-versions.R
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ extract_packages_with_versions <- function(osvs) {

for (osv in osvs) {
for (affected in osv$affected) {
if (affected$package$ecosystem != "CRAN") {
next
}

package <- affected$package$name

if (!(package %in% names(result))) {
Expand Down
3 changes: 3 additions & 0 deletions scripts/generators/generate-debian-versions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ def extract_packages_with_versions(osvs):

for osv in osvs:
for affected in osv['affected']:
if not affected['package']['ecosystem'].startswith('Debian'):
continue

package = affected['package']['name']

if package not in dict:
Expand Down
4 changes: 4 additions & 0 deletions scripts/generators/generate-packagist-versions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,10 @@ function fetchPackageVersions(): array

foreach ($osvs as $osv) {
foreach ($osv['affected'] as $affected) {
if ($affected['package']['ecosystem'] !== 'Packagist') {
continue;
}

$package = $affected['package']['name'];

if (!isset($packages[$package])) {
Expand Down
3 changes: 3 additions & 0 deletions scripts/generators/generate-pypi-versions.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ def extract_packages_with_versions(osvs):

for osv in osvs:
for affected in osv['affected']:
if affected['package']['ecosystem'] != 'PyPI':
continue

package = affected['package']['name']

if package not in dict:
Expand Down

0 comments on commit 94dc496

Please sign in to comment.