Support schema version 1.2.0

docker/exporter/exporter.py

@@ -61,8 +61,7 @@ def _export_ecosystem_to_bucket(self, ecosystem, tmp_dir):
 
         file_path = os.path.join(tmp_dir, bug.id() + '.json')
         osv.write_vulnerability(
-            bug.to_vulnerability(v0_7=False, v0_8=True, include_source=True),
-            file_path)
+            bug.to_vulnerability(include_source=True), file_path)
         zip_file.write(file_path, os.path.basename(file_path))
 
     def upload_single(source_path, target_path):

docker/importer/importer.py

@@ -176,8 +176,7 @@ def import_new_oss_fuzz_entries(self, repo, oss_fuzz_source):
         continue
 
       logging.info('Writing %s', bug.key.id())
-      osv.write_vulnerability(
-          bug.to_vulnerability(v0_7=False, v0_8=True), vulnerability_path)
+      osv.write_vulnerability(bug.to_vulnerability(), vulnerability_path)
       # The source of truth is now this yaml file.
       bug.source_of_truth = osv.SourceOfTruth.SOURCE_REPO
       exported.append(bug)
@@ -372,8 +371,7 @@ def export_oss_fuzz(vulnerability, testcase_id, issue_id):
           continue
 
         _, source_id = osv.parse_source_id(bug.source_id)
-        executor.submit(export_oss_fuzz,
-                        bug.to_vulnerability(v0_7=False, v0_8=True), source_id,
+        executor.submit(export_oss_fuzz, bug.to_vulnerability(), source_id,
                         bug.issue_id)
 
 

docker/importer/importer_test.py

@@ -99,8 +99,22 @@ def test_basic(self, mock_publish):
             'ecosystem_specific': {
                 'severity': 'MEDIUM',
             },
+            'database_specific': {
+                'database_specific': 1337,
+            },
         }],
         affected_fuzzy=['5-29', '5-30'],
+        credits=[{
+            'name': 'Foo bar',
+            'contact': [],
+        }, {
+            'name': 'Bar foo',
+            'contact': ['mailto:bar@foo.com'],
+        }],
+        severities=[{
+            'type': 'CVSS_V3',
+            'score': '7.5',
+        }],
         details=(
             'OSS-Fuzz report: '
             'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064\n\n'
@@ -121,7 +135,11 @@ def test_basic(self, mock_publish):
         source_of_truth=osv.SourceOfTruth.INTERNAL,
         status=1,
         summary='Heap-buffer-overflow in cdf_file_property_info',
-        timestamp=datetime.datetime(2021, 1, 15, 0, 0, 24, 559102)).put()
+        timestamp=datetime.datetime(2021, 1, 15, 0, 0, 24, 559102),
+        database_specific={
+            'database_specific': 1337
+        },
+    ).put()
 
     self.mock_repo.add_file('2021-111.yaml', _EMPTY_VULNERABILITY)
     self.mock_repo.commit('User', 'user@email')
@@ -158,12 +176,15 @@ def test_basic(self, mock_publish):
 
     self.mock_storage_client().get_bucket.assert_called_with('bucket')
     bucket = self.mock_storage_client().get_bucket('bucket')
-    expected_upload_contents = self._load_test_data('expected.json')
+
+    expected_json = bucket.blob().upload_from_string.call_args[0][0]
+    self.expect_equal('expected.json', expected_json)
+
     bucket.blob.assert_has_calls([
         mock.call('testcase/5417710252982272.json'),
-        mock.call().upload_from_string(expected_upload_contents),
+        mock.call().upload_from_string(expected_json),
         mock.call('issue/1064.json'),
-        mock.call().upload_from_string(expected_upload_contents),
+        mock.call().upload_from_string(expected_json),
     ])
 
   @mock.patch('google.cloud.pubsub_v1.PublisherClient.publish')

docker/importer/testdata/ImporterTest_diff_basic.txt

@@ -1,9 +1,9 @@
 ('diff --git a/file/OSV-2017-134.yaml b/file/OSV-2017-134.yaml\n'
  'new file mode 100644\n'
- 'index 0000000..49f0c47\n'
+ 'index 0000000..f76d8c2\n'
  '--- /dev/null\n'
  '+++ b/file/OSV-2017-134.yaml\n'
- '@@ -0,0 +1,31 @@\n'
+ '@@ -0,0 +1,44 @@\n'
  '+id: OSV-2017-134\n'
  '+summary: Heap-buffer-overflow in cdf_file_property_info\n'
  '+details: |\n'
@@ -17,6 +17,8 @@
  '+  cdf_check_summary_info\n'
  "+modified: '2021-01-01T00:00:00Z'\n"
  "+published: '2021-01-15T00:00:24.559102Z'\n"
+ '+database_specific:\n'
+ '+  database_specific: 1337.0\n'
  '+references:\n'
  '+- type: REPORT\n'
  '+  url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064\n'
@@ -35,4 +37,15 @@
  '+  - FILE5_29\n'
  '+  - FILE5_30\n'
  '+  ecosystem_specific:\n'
- '+    severity: MEDIUM\n')
+ '+    severity: MEDIUM\n'
+ '+  database_specific:\n'
+ '+    database_specific: 1337.0\n'
+ '+schema_version: 1.2.0\n'
+ '+severity:\n'
+ '+- type: CVSS_V3\n'
+ "+  score: '7.5'\n"
+ '+credits:\n'
+ '+- name: Foo bar\n'
+ '+- name: Bar foo\n'
+ '+  contact:\n'
+ '+  - mailto:bar@foo.com\n')

docker/importer/testdata/ImporterTest_expected.json.txt

@@ -0,0 +1,19 @@
+('{"id": "OSV-2017-134", "summary": "Heap-buffer-overflow in '
+ 'cdf_file_property_info", "details": "OSS-Fuzz report: '
+ 'https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064\\n\\nCrash type: '
+ 'Heap-buffer-overflow READ 1\\nCrash '
+ 'state:\\ncdf_file_property_info\\ncdf_file_summary_info\\ncdf_check_summary_info\\n", '
+ '"modified": "2021-01-01T00:00:00Z", "published": '
+ '"2021-01-15T00:00:24.559102Z", "database_specific": {"database_specific": '
+ '1337.0}, "references": [{"type": "REPORT", "url": '
+ '"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1064"}], "affected": '
+ '[{"package": {"name": "file", "ecosystem": "OSS-Fuzz", "purl": '
+ '"pkg:generic/file"}, "ranges": [{"type": "GIT", "repo": '
+ '"https://github.com/file/file.git", "events": [{"introduced": '
+ '"17ee4cf670c363de8d2ea4a4897d7a699837873f"}, {"fixed": '
+ '"19ccebafb7663c422c714e0c67fa4775abf91c43"}]}], "versions": ["FILE5_29", '
+ '"FILE5_30"], "ecosystem_specific": {"severity": "MEDIUM"}, '
+ '"database_specific": {"database_specific": 1337.0}}], "schema_version": '
+ '"1.2.0", "severity": [{"type": "CVSS_V3", "score": "7.5"}], "credits": '
+ '[{"name": "Foo bar"}, {"name": "Bar foo", "contact": '
+ '["mailto:bar@foo.com"]}]}')

docker/worker/testdata/BLAH-123.old.yaml

@@ -6,7 +6,9 @@ summary: A vulnerability
 details: |
   Blah blah blah
   Blah
-severity: HIGH
+severity:
+- type: CVSS_V3
+  score: '7.5'
 affects:
   ranges:
   - type: GIT

docker/worker/testdata/BLAH-123.yaml

@@ -3,7 +3,13 @@ summary: A vulnerability
 details: |
   Blah blah blah
   Blah
-severity: HIGH
+severity:
+- type: CVSS_V3
+  score: '7.5'
+credits:
+- name: Foo bar
+  contact:
+  - mailto:foo@bar.com
 references:
 - type: WEB
   url: https://ref.com/ref
@@ -19,3 +25,5 @@ affected:
     - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735
   versions:
   - branch-v0.1.1
+database_specific:
+  specific: 1337

docker/worker/testdata/BLAH-124.old.yaml

@@ -6,7 +6,6 @@ summary: A vulnerability
 details: |
   Blah blah blah
   Blah
-severity: HIGH
 affects:
   ranges:
   - type: GIT

docker/worker/testdata/BLAH-125.yaml

@@ -6,7 +6,9 @@ summary: A vulnerability
 details: |
   Blah blah blah
   Blah
-severity: HIGH
+severity:
+- type: CVSS_V3
+  score: '7.5'
 affects:
   ranges:
   - type: GIT

docker/worker/testdata/BLAH-126.yaml

@@ -1,18 +1,18 @@
 id: BLAH-126
-package:
-  name: blah.com/package
-  ecosystem: golang
 summary: A vulnerability
 details: |
   Blah blah blah
   Blah
-severity: HIGH
-affects:
+affected:
+- package:
+    name: blah.com/package
+    ecosystem: golang
   ranges:
   - type: GIT
     repo: https://osv-test/repo/url
-    introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd
-    fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735
+    events:
+    - introduced: eefe8ec3f1f90d0e684890e810f3f21e8500a4cd
+    - fixed: 8d8242f545e9cec3e6d0d2e3f5bde8be1c659735
   versions:
   - branch-v0.1.1
 references:

docker/worker/testdata/BLAH-127.old.yaml

@@ -6,7 +6,6 @@ summary: A vulnerability
 details: |
   Blah blah blah
   Blah
-severity: HIGH
 affects:
   ranges:
   - type: GIT

docker/worker/testdata/BLAH-128.yaml

@@ -3,7 +3,6 @@ summary: A vulnerability
 details: |
   Blah blah blah
   Blah
-severity: HIGH
 references:
 - type: WEB
   url: https://ref.com/ref

docker/worker/testdata/ImpactTest_basic.txt

@@ -20,11 +20,11 @@
                                                  'v0.1.1']}],
     'affected_ranges': [],
     'aliases': [],
+    'credits': [],
     'database_specific': None,
     'db_id': 'OSV-2020-1337',
     'details': 'DETAILS',
     'ecosystem': ['ecosystem'],
-    'ecosystem_specific': None,
     'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735',
     'has_affected': True,
     'is_fixed': True,
@@ -43,7 +43,7 @@
                           'osv-2020-1337',
                           'project'],
     'semver_fixed_indexes': [],
-    'severity': 'MEDIUM',
+    'severities': [],
     'source': 'oss-fuzz',
     'source_id': 'oss-fuzz:123',
     'source_of_truth': 1,

docker/worker/testdata/ImpactTest_fixed_range_too_long.txt

@@ -18,11 +18,11 @@
                                                  'v0.2']}],
     'affected_ranges': [],
     'aliases': [],
+    'credits': [],
     'database_specific': None,
     'db_id': 'OSV-2020-1337',
     'details': 'DETAILS',
     'ecosystem': ['ecosystem'],
-    'ecosystem_specific': None,
     'fixed': 'eefe8ec3f1f90d0e684890e810f3f21e8500a4cd:b587c21c36a84e16cfc6b39eb68578d43b5281ad',
     'has_affected': True,
     'is_fixed': True,
@@ -41,7 +41,7 @@
                           'osv-2020-1337',
                           'project'],
     'semver_fixed_indexes': [],
-    'severity': 'MEDIUM',
+    'severities': [],
     'source': 'oss-fuzz',
     'source_id': 'oss-fuzz:123',
     'source_of_truth': 1,

docker/worker/testdata/ImpactTest_not_fixed.txt

@@ -18,11 +18,11 @@
                                                  'v0.2']}],
     'affected_ranges': [],
     'aliases': [],
+    'credits': [],
     'database_specific': None,
     'db_id': 'OSV-2020-1337',
     'details': 'DETAILS',
     'ecosystem': ['ecosystem'],
-    'ecosystem_specific': None,
     'fixed': '',
     'has_affected': True,
     'is_fixed': False,
@@ -41,7 +41,7 @@
                           'osv-2020-1337',
                           'project'],
     'semver_fixed_indexes': [],
-    'severity': 'MEDIUM',
+    'severities': [],
     'source': 'oss-fuzz',
     'source_id': 'oss-fuzz:123',
     'source_of_truth': 1,

docker/worker/testdata/ImpactTest_range.txt

@@ -18,11 +18,11 @@
                                                  'v0.2']}],
     'affected_ranges': [],
     'aliases': [],
+    'credits': [],
     'database_specific': None,
     'db_id': 'OSV-2020-1337',
     'details': 'DETAILS',
     'ecosystem': ['ecosystem'],
-    'ecosystem_specific': None,
     'fixed': 'b1c95a196f22d06fcf80df8c6691cd113d8fefff:36f0bd9549298b44f9ff2496c9dd1326b3a9d0e2',
     'has_affected': True,
     'is_fixed': True,
@@ -41,7 +41,7 @@
                           'osv-2020-1337',
                           'project'],
     'semver_fixed_indexes': [],
-    'severity': 'MEDIUM',
+    'severities': [],
     'source': 'oss-fuzz',
     'source_id': 'oss-fuzz:123',
     'source_of_truth': 1,

docker/worker/testdata/ImpactTest_simplify_range.txt

@@ -20,11 +20,11 @@
                                                  'v0.1.1']}],
     'affected_ranges': [],
     'aliases': [],
+    'credits': [],
     'database_specific': None,
     'db_id': 'OSV-2020-1337',
     'details': 'DETAILS',
     'ecosystem': ['ecosystem'],
-    'ecosystem_specific': None,
     'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735',
     'has_affected': True,
     'is_fixed': True,
@@ -43,7 +43,7 @@
                           'osv-2020-1337',
                           'project'],
     'semver_fixed_indexes': [],
-    'severity': 'MEDIUM',
+    'severities': [],
     'source': 'oss-fuzz',
     'source_id': 'oss-fuzz:123',
     'source_of_truth': 1,

docker/worker/testdata/ImpactTest_zero_regression_range.txt

@@ -16,11 +16,11 @@
                                                  'v0.1.1']}],
     'affected_ranges': [],
     'aliases': [],
+    'credits': [],
     'database_specific': None,
     'db_id': 'OSV-2020-1337',
     'details': 'DETAILS',
     'ecosystem': ['ecosystem'],
-    'ecosystem_specific': None,
     'fixed': '8d8242f545e9cec3e6d0d2e3f5bde8be1c659735',
     'has_affected': True,
     'is_fixed': True,
@@ -39,7 +39,7 @@
                           'osv-2020-1337',
                           'project'],
     'semver_fixed_indexes': [],
-    'severity': 'MEDIUM',
+    'severities': [],
     'source': 'oss-fuzz',
     'source_id': 'oss-fuzz:123',
     'source_of_truth': 1,