-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Impact analysis of fixed events - Discrepancy between specification and implementation #1910
Comments
Thanks for reporting this! You are right, and this is because of a TODO in our implementation here: Line 180 in 6587285
If you pass The reasoning behind this is we wanted to be more cautious about surfacing potential false positive matches to our consumers. We keyed this behaviour on |
Thanks again for your really quick answer. Thanks for this precision, I understand the reason behind the implementation choice and the need to reduce false positive that can be costly for the end user.
Indeed, in this specific case with the cherry-picked option to true we obtained the correct result. However, I noticed that for The reason behind that is that for last_affected events, the cherry-pick mechanism is disabled resulting in the same case that I described previously described To illustrate this example I created a third vulnerability in my fork, replacing the
Result
Expected Results |
If you need more details about how to reproduce the bug with the Thanks again. Romain Lefeuvre |
Hello, Thanks! |
Just to clarify: is this the same issue with |
I continued the discussion here as you suggest in #1898 but in my opinion, these are two different bugs. |
Hi, Do you prefer that I open a dedicated issue for this second bug ? |
Sorry for the slow reply! Please open another bug to make it clear what the second issue is. |
I just created a new issue here : #1938 Thanks again |
Describe the bug
The OSV.dev implementation of impact analysis diverges from the specification for
fixed
events. They seem to be treated likelimit
events, differently from the example in the specification.To Reproduce
python -m osv.analyze_tool --format json "./osv/osv_bug/vuln.json"
I.e.:
868d891cffe96cd67b2abac82c62ade7219af9b5
(C)d241812d2722d573a7b096d44d139946d8dcb484
(X)e54222cfdedd86a37dc37d999ebc63dccf3fc9da
(A)ec5e313170f68d3fc575d107a8b92d43ae140249
(B)Note that :
The history of the repo at https://github.com/RomainLefeuvre/osv_issue_minimal_example matches the example in the specification:
The toy vulnerability matches also the one used in the example :
Expected behaviour
D, F and E should also be reported as vulnerable as described:
The text was updated successfully, but these errors were encountered: