fix: [Data Sources][OSV] The ecosystem should be considered during parsing #4953
Description
Description
I will work with one example here: CVE-2024-39894
OSV CVE Source: https://api.osv.dev/v1/vulns/CVE-2024-39894
Ecosystem: Debian
Regarding the Code the first and the last version get extracted:
cve-bin-tool/cve_bin_tool/data_sources/osv_source.py
Lines 325 to 336 in e8a0f7f
Which results in:
sqlite> select * from cve_range where cve_number = 'CVE-2024-39894';
CVE-2024-39894|unknown|openssh|*|1:9.2p1-2||1:9.7p1-7||OSV
But these versions are Debian specific. They include the epoch and the release number. Especially the leading epoch causes comparison issues:
(Pdb) Version("9.6p1") > Version("1:9.2p1-2") and Version("9.6p1") < Version("1:9.7p1-7")
False
(Pdb) Version("9.6p1") > Version("9.2p1") and Version("9.6p1") < Version("9.7p1")
True
The OSV data source should consider the quirks of the different ecosystems. I am not really sure how to handle it. I think I would split it into two entries like this:
sqlite> select * from cve_range where cve_number = 'CVE-2024-39894';
CVE-2024-39894|debian|openssh|*|1:9.2p1-2||1:9.7p1-7||OSV
CVE-2024-39894|unknown|openssh|*|9.2p1||9.7p1||OSV
To reproduce
Scan an SBOM with the component:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:minimal-example",
"version": 1,
"components": [
{
"name": "openssh",
"version": "9.6p1",
"type": "library",
"cpe": "cpe:2.3:*:*:openssh:9.6p1:*:*:*:*:*:*:*",
"bom-ref": "openssh@9.61p1"
}
]
}Expected behaviour: Find CVE-2024-39894
Actual behaviour: Not found
Version/platform info
Version of CVE-bin-tool: 3.4
Installed from pypi or github: pypi
Operating system: Linux
uname -a
Linux workmachine 6.13.6-1-default #1 SMP PREEMPT_DYNAMIC Mon Mar 10 08:49:24 UTC 2025 (495d82a) x86_64 x86_64 x86_64 GNU/Linux
Python version: 3.11.11