From 066b25488cd4b9efb9c861dc4482915c7f0b5926 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 13 Mar 2026 03:16:37 +0000
Subject: [PATCH 1/2] fix: skip vulnerabilities with empty affected ranges in
 combine-to-osv

Added a helper `hasRanges` to ensure that vulnerabilities missing ranges
in their `affected` blocks are skipped and not uploaded unless they are explicitly
included in the `mandatoryCVEIDs` slice. Also updated `main_test.go` to assert
this new logic correctly.

Co-authored-by: jess-lowe <86962800+jess-lowe@users.noreply.github.com>
---
 vulnfeeds/cmd/combine-to-osv/main.go      | 13 +++++++++++--
 vulnfeeds/cmd/combine-to-osv/main_test.go | 20 ++++++++++----------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/vulnfeeds/cmd/combine-to-osv/main.go b/vulnfeeds/cmd/combine-to-osv/main.go
index cbd454cd4a5..ab8a6d88843 100644
--- a/vulnfeeds/cmd/combine-to-osv/main.go
+++ b/vulnfeeds/cmd/combine-to-osv/main.go
@@ -191,7 +191,7 @@ func combineIntoOSV(cve5osv map[models.CVEID]*osvschema.Vulnerability, nvdosv ma
 			baseOSV = cve5
 		}
 
-		if len(baseOSV.GetAffected()) == 0 {
+		if len(baseOSV.GetAffected()) == 0 || !hasRanges(baseOSV.GetAffected()) {
 			// check if part exists.
 			if !slices.Contains(mandatoryCVEIDs, string(cveID)) {
 				continue
@@ -202,7 +202,7 @@ func combineIntoOSV(cve5osv map[models.CVEID]*osvschema.Vulnerability, nvdosv ma
 
 	// Add any remaining CVEs from NVD that were not in the advisory data.
 	for cveID, nvd := range nvdosv {
-		if len(nvd.GetAffected()) == 0 {
+		if len(nvd.GetAffected()) == 0 || !hasRanges(nvd.GetAffected()) {
 			continue
 		}
 		osvRecords[cveID] = nvd
@@ -364,6 +364,15 @@ func pickAffectedInformation(cve5Affected []*osvschema.Affected, nvdAffected []*
 	return combinedAffected
 }
 
+func hasRanges(affected []*osvschema.Affected) bool {
+	for _, a := range affected {
+		if len(a.GetRanges()) > 0 {
+			return true
+		}
+	}
+	return false
+}
+
 // getRangeBoundaryVersions extracts the introduced and fixed versions from a slice of OSV events.
 // It iterates through the events and returns the last non-empty "introduced" and "fixed" versions found.
 func getRangeBoundaryVersions(events []*osvschema.Event) (introduced, fixed string) {
diff --git a/vulnfeeds/cmd/combine-to-osv/main_test.go b/vulnfeeds/cmd/combine-to-osv/main_test.go
index 6930851b895..0fca9cf16a2 100644
--- a/vulnfeeds/cmd/combine-to-osv/main_test.go
+++ b/vulnfeeds/cmd/combine-to-osv/main_test.go
@@ -49,8 +49,8 @@ func TestCombineIntoOSV(t *testing.T) {
 	// CVE-2023-0002: from nvd only
 	// CVE-2023-0003: from cve5, no affected, but in noPkgCVEs
 	// CVE-2023-0004: from cve5, no affected, not in noPkgCVEs, so skipped
-	if len(combined) != 4 {
-		t.Errorf("Expected 4 combined vulnerabilities, got %d", len(combined))
+	if len(combined) != 2 {
+		t.Errorf("Expected 2 combined vulnerabilities, got %d", len(combined))
 	}
 
 	// Test case 1: Merged CVE
@@ -109,22 +109,22 @@ func TestCombineIntoOSV(t *testing.T) {
 		t.Errorf("CVE-2023-1234: affected range mismatch (-want +got):\n%s", diff)
 	}
 
-	// Test case 2: CVE only in cve5
-	if _, ok = combined["CVE-2023-0001"]; !ok {
-		t.Error("Expected combined map to contain CVE-2023-0001")
+	// Test case 2: CVE only in cve5 (has no ranges, so it should be skipped)
+	if _, ok = combined["CVE-2023-0001"]; ok {
+		t.Error("Expected combined map to NOT contain CVE-2023-0001 because it has no ranges")
 	}
 
-	// Test case 3: CVE only in nvd
-	if _, ok = combined["CVE-2023-0002"]; !ok {
-		t.Error("Expected combined map to contain CVE-2023-0002")
+	// Test case 3: CVE only in nvd (has no ranges, so it should be skipped)
+	if _, ok = combined["CVE-2023-0002"]; ok {
+		t.Error("Expected combined map to NOT contain CVE-2023-0002 because it has no ranges")
 	}
 
-	// Test case 4: No affected, in noPkgCVEs
+	// Test case 4: No ranges, in noPkgCVEs (should be kept)
 	if _, ok = combined["CVE-2023-0003"]; !ok {
 		t.Error("Expected combined map to contain CVE-2023-0003")
 	}
 
-	// Test case 5: No affected, not in noPkgCVEs
+	// Test case 5: No ranges, not in noPkgCVEs (should be skipped)
 	if _, ok = combined["CVE-2023-0004"]; ok {
 		t.Error("Expected combined map to NOT contain CVE-2023-0004")
 	}

From 4af3da2686c16e82733006881980bedd3ca9f7b5 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 13 Mar 2026 03:25:52 +0000
Subject: [PATCH 2/2] fix: resolve nlreturn lint issue in combine-to-osv

Added a blank line before the `return false` statement in the `hasRanges` function
to satisfy the `nlreturn` golangci-lint check.

Co-authored-by: jess-lowe <86962800+jess-lowe@users.noreply.github.com>
---
 vulnfeeds/cmd/combine-to-osv/main.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vulnfeeds/cmd/combine-to-osv/main.go b/vulnfeeds/cmd/combine-to-osv/main.go
index ab8a6d88843..8ee3b13f195 100644
--- a/vulnfeeds/cmd/combine-to-osv/main.go
+++ b/vulnfeeds/cmd/combine-to-osv/main.go
@@ -370,6 +370,7 @@ func hasRanges(affected []*osvschema.Affected) bool {
 			return true
 		}
 	}
+
 	return false
 }