Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

osv: parse database_specific severity when no CVSS severity is defined #1294

Merged
merged 1 commit into from Mar 20, 2024
Merged

osv: parse database_specific severity when no CVSS severity is defined #1294

merged 1 commit into from Mar 20, 2024

Conversation

crozzy
Copy link
Contributor

@crozzy crozzy commented Mar 19, 2024

Occasionally there are OSV advisories that don't include any severity information in the .severity object but they do contain a severity in the .database_specific object. This change attempts to parse that severity if we don't get a severity from the native .severity object.

@crozzy crozzy requested a review from a team as a code owner March 19, 2024 22:20
@crozzy crozzy requested review from hdonnay and removed request for a team March 19, 2024 22:20
@crozzy
Copy link
Contributor Author

crozzy commented Mar 19, 2024

original idea from @RTann and @celek #1142

@codecov Codecov
Copy link

codecov bot commented Mar 19, 2024
edited

Codecov Report

Attention: Patch coverage is 56.52174% with 10 lines in your changes are missing coverage. Please review.

Project coverage is 55.84%. Comparing base (417c2b0) to head (fed6af8).
Report is 3 commits behind head on main.

Files Patch % Lines
updater/osv/osv.go 56.52% 10 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1294      +/-   ##
==========================================
+ Coverage   55.33%   55.84%   +0.50%     
==========================================
  Files         265      265              
  Lines       16574    16597      +23     
==========================================
+ Hits         9172     9268      +96     
+ Misses       6451     6366      -85     
- Partials      951      963      +12

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

hdonnay
hdonnay approved these changes Mar 20, 2024
View reviewed changes
Copy link
Member

@hdonnay hdonnay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@crozzy
osv: parse database_specific severity when no CVSS severity is defined
fed6af8 
Occasionally there are OSV advisories that don't include any severity
information in the `.severity` object but they do contain a severity in
the `.database_specific` object. This change attempts to parse that
severity if we don't get a severity from the native `.severity` object.

Signed-off-by: crozzy <joseph.crosland@gmail.com>
@crozzy crozzy force-pushed the crozzy-parse-db-specific-osv branch from 0000426 to fed6af8 Compare March 20, 2024 21:55
@crozzy crozzy merged commit 9c22ab8 into quay:main Mar 20, 2024
8 checks passed
@crozzy crozzy mentioned this pull request Mar 20, 2024
Closed
@crozzy crozzy added the needs-changelog Label for PRs that need a changelog note. label Mar 20, 2024
@github-actions github-actions bot removed the needs-changelog Label for PRs that need a changelog note. label Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hdonnay hdonnay hdonnay approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@crozzy @hdonnay