Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Impact analysis - Multiple ranges not handled for GIT range #1938

Open
RomainLefeuvre opened this issue Jan 29, 2024 · 1 comment
Open

Impact analysis - Multiple ranges not handled for GIT range #1938

RomainLefeuvre opened this issue Jan 29, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@RomainLefeuvre
Copy link

Describe the bug
Multiple ranges on the same branch are not handled for GIT type.

I created a toy example based on the "multiple range example" : https://ossf.github.io/osv-schema/#multiple-range-example.
In order to avoid recreating a toy repository we will reuse the one that we created for the previous issue :
https://github.com/RomainLefeuvre/osv_issue_minimal_example with the following git history :
image

And this range of events :

"events": [
              {
                "introduced": "d241812d2722d573a7b096d44d139946d8dcb484"  [X]
              },         
              {
                "fixed": "ec5e313170f68d3fc575d107a8b92d43ae140249"        [B]
              },
              {
                "introduced": "868d891cffe96cd67b2abac82c62ade7219af9b5"   [C]
              },         
              {
                "fixed": "80f15009d903ac95ffc5a5a07a3a213e4980bb62"      [Y]
              }
            ]
          }

b22dc07

To Reproduce
Steps to reproduce the behaviour:

  1. clone https://github.com/RomainLefeuvre/osv.dev
  2. setup your python virtualenv as described in the osv documentation
  3. from the root level of the repo, execute python -m osv.analyze_tool --detect_cherrypicks true --format json "./osv/osv_bug/vuln_2.json"

Result

❯ python -m  osv.analyze_tool --format json --detect_cherrypicks true "./osv/osv_bug/vuln_2.json"
AnalyzeResult(has_changes=False, commits={'d241812d2722d573a7b096d44d139946d8dcb484', 'e54222cfdedd86a37dc37d999ebc63dccf3fc9da'})

The following commits are detected

  • d241812d2722d573a7b096d44d139946d8dcb484 (X)
  • e54222cfdedd86a37dc37d999ebc63dccf3fc9da (A)

Expected behaviour
C and D should also be reported as vulnerable
@RomainLefeuvre RomainLefeuvre mentioned this issue Jan 29, 2024
Open
@another-rex another-rex added the bug Something isn't working label Feb 2, 2024
@another-rex
Copy link
Contributor

Thanks for the clear bug report!

@CharlyReux CharlyReux mentioned this issue May 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RomainLefeuvre @another-rex