Skip to content

feat(exposure): add any-version ("*") catalog entries in schema v0.2.0#65

Open
adel-pplx wants to merge 2 commits into
mainfrom
feat-catalog-any-version
Open

feat(exposure): add any-version ("*") catalog entries in schema v0.2.0#65
adel-pplx wants to merge 2 commits into
mainfrom
feat-catalog-any-version

Conversation

@adel-pplx

@adel-pplx adel-pplx commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds schema v0.2.0: a catalog entry may declare "versions": ["*"] to match every version of a package. tools/osvcatalog now emits ["*"] for OSV affected entries whose ranges declare all versions affected (a single introduced: "0" SEMVER/ECOSYSTEM event) instead of dropping them — on the current OSV npm dump this raises coverage from ~17.9k to ~214k entries (196k any-version). v0.1.0 catalogs are still accepted and cannot use "*"; bounded ranges remain out of scope.

Fixes #64

Notes: a regenerated full npm catalog is ~63.4 MiB, just under the 64 MiB default --max-catalog-size. Catalogs in one directory must still share a single schema_version, so a second commit bumps the shipped threat_intel/ catalogs and the embedded selftest catalog to 0.2.0 (entry content unchanged) to keep them mergeable with generated catalogs.

Tests

  • exposure: any-version match (arbitrary and empty record versions, miss for other packages), "*" mixed with exact versions rejected, "*" under schema 0.1.0 rejected, both supported schema versions parse.
  • osv: all-versions SEMVER/ECOSYSTEM ranges emit ["*"] while bounded and GIT-only ranges stay skipped, wildcard wins over enumerated versions for the same package, and a generated catalog round-trips through exposure.LoadFile and matches an arbitrary version.
  • scanner: finding for an any-version entry carries the installed version and distinct evidence text.
  • Manually regenerated catalogs from current OSV npm and Go dumps; both validate against the v0.2.0 schema and a live scan flags a wildcard-covered package.

Checks

  • gofmt / go vet / go test / go test -race / go build / selftest — pass.
  • govulncheck — reports Go stdlib advisories from the local toolchain patch level only, in files untouched here; enforced by CI.

adel-pplx added 2 commits July 8, 2026 19:52
A catalog entry may declare versions ["*"] to match every version of
its package. tools/osvcatalog emits ["*"] for OSV affected entries
whose ranges declare all versions affected (a single introduced:"0"
SEMVER/ECOSYSTEM event) instead of dropping them, raising npm
malicious-package coverage from ~8% to ~96% of the OSV corpus.
v0.1.0 catalogs are still accepted; they cannot use "*".

Fixes #64
All threat_intel catalogs and the embedded selftest catalog now
declare 0.2.0, so they can be merged in one --exposure-catalog
directory with generated v0.2.0 catalogs (the loader requires a
uniform schema_version per directory). Entry content is unchanged;
two trapdoor comments referencing "the v0.1 schema enum" are made
version-neutral.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

osvcatalog: all-versions (range-only) MAL records are dropped — ~92% of npm malicious packages

1 participant