OSV.dev can't match deleted versions of packages #2407
Description
Hello there,
Thanks for this amazing work but I am reporting here a crucial bug: known malicious packages are not detected when scanned.
How to reproduce:
- Add the following known malicious package
pymocksin an examplepip freezeoutput (second line here below):
argcomplete==3.4.0
pymocks==0.0.1
attrs==21.2.0
Automat==20.2.0
Babel==2.8.0
bcrypt==3.2.0
blinker==1.4
certifi==2020.6.20
chardet==4.0.0
click==8.0.3
cloud-init==24.1.3
colorama==0.4.4
command-not-found==0.3
configobj==5.0.6
constantly==15.1.0
cryptography==3.4.8
dbus-python==1.2.18
distlib==0.3.4
distro==1.7.0
distro-info==1.1+ubuntu0.2
filelock==3.6.0
httplib2==0.20.2
hyperlink==21.0.0
idna==3.3
importlib-metadata==4.6.4
incremental==21.3.0
jeepney==0.7.1
Jinja2==3.0.3
jsonpatch==1.32
jsonpointer==2.0
jsonschema==3.2.0
keyring==23.5.0
launchpadlib==1.10.16
lazr.restfulclient==0.14.4
lazr.uri==1.0.6
MarkupSafe==2.0.1
mercurial==6.1.1
more-itertools==8.10.0
netifaces==0.11.0
oauthlib==3.2.0
packaging==24.1
pbr==5.8.0
pexpect==4.8.0
pipx==1.6.0
platformdirs==4.2.2
ptyprocess==0.7.0
pyasn1==0.4.8
pyasn1-modules==0.2.1
Pygments==2.11.2
PyGObject==3.42.1
PyHamcrest==2.0.2
PyJWT==2.3.0
pyOpenSSL==21.0.0
pyparsing==2.4.7
pyparted==3.11.7
pyrsistent==0.18.1
pyserial==3.5
python-apt==2.4.0+ubuntu3
python-debian==0.1.43+ubuntu1.1
python-magic==0.4.24
pytz==2022.1
PyYAML==5.4.1
requests==2.25.1
SecretStorage==3.3.1
service-identity==18.1.0
six==1.16.0
sos==4.5.6
ssh-import-id==5.11
stevedore==3.5.0
systemd-python==234
tomli==2.0.1
Twisted==22.1.0
ubuntu-pro-client==8001
ufw==0.36.1
urllib3==1.26.5
userpath==1.9.2
virtualenv==20.13.0+ds
virtualenv-clone==0.3.0
virtualenvwrapper==4.8.4
wadllib==1.3.6
WALinuxAgent==2.2.46
zipp==1.0.0
zope.interface==5.4.0
- Scan this "requirements.txt" file:
$ ./osv-scanner_linux_amd64 scan -L requirements.txt
Scanned /home/runner/requirements.txt file and found 83 packages
╭─────────────────────────────────────┬──────┬───────────┬──────────────┬───────────┬──────────────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼──────────────┼───────────┼──────────────────┤
│ https://osv.dev/GHSA-h4m5-qpfp-3mpv │ 7.8 │ PyPI │ babel │ 2.8.0 │ requirements.txt │
│ https://osv.dev/PYSEC-2021-421 │ │ │ │ │ │
│ https://osv.dev/GHSA-43fp-rhv2-5gv8 │ 6.8 │ PyPI │ certifi │ 2020.6.20 │ requirements.txt │
│ https://osv.dev/PYSEC-2022-42986 │ │ │ │ │ │
│ https://osv.dev/GHSA-xqr8-7jwr-rhp7 │ 7.5 │ PyPI │ certifi │ 2020.6.20 │ requirements.txt │
│ https://osv.dev/PYSEC-2023-135 │ │ │ │ │ │
│ https://osv.dev/GHSA-c33w-24p9-8m24 │ 3.7 │ PyPI │ configobj │ 5.0.6 │ requirements.txt │
│ https://osv.dev/GHSA-3ww4-gg4f-jr7f │ 7.5 │ PyPI │ cryptography │ 3.4.8 │ requirements.txt │
│ https://osv.dev/GHSA-5cpq-8wj7-hf2v │ │ PyPI │ cryptography │ 3.4.8 │ requirements.txt │
│ https://osv.dev/GHSA-9v9h-cgj8-h64p │ 5.5 │ PyPI │ cryptography │ 3.4.8 │ requirements.txt │
│ https://osv.dev/GHSA-jfhm-5ghh-2f97 │ 7.5 │ PyPI │ cryptography │ 3.4.8 │ requirements.txt │
│ https://osv.dev/PYSEC-2023-254 │ │ │ │ │ │
│ https://osv.dev/GHSA-jm77-qphf-c4w8 │ │ PyPI │ cryptography │ 3.4.8 │ requirements.txt │
│ https://osv.dev/GHSA-v8gr-m533-ghj9 │ │ PyPI │ cryptography │ 3.4.8 │ requirements.txt │
│ https://osv.dev/GHSA-w7pp-m8wf-vj6r │ 6.5 │ PyPI │ cryptography │ 3.4.8 │ requirements.txt │
│ https://osv.dev/GHSA-x4qr-2fvf-3mr5 │ 7.4 │ PyPI │ cryptography │ 3.4.8 │ requirements.txt │
│ https://osv.dev/GHSA-jjg7-2v4v-x38h │ 7.5 │ PyPI │ idna │ 3.3 │ requirements.txt │
│ https://osv.dev/PYSEC-2024-60 │ │ │ │ │ │
│ https://osv.dev/GHSA-h5c8-rqwp-cp95 │ 5.4 │ PyPI │ jinja2 │ 3.0.3 │ requirements.txt │
│ https://osv.dev/GHSA-h75v-3vvj-5mfj │ 5.4 │ PyPI │ jinja2 │ 3.0.3 │ requirements.txt │
│ https://osv.dev/GHSA-3pgj-pg6c-r5p7 │ 5.7 │ PyPI │ oauthlib │ 3.2.0 │ requirements.txt │
│ https://osv.dev/PYSEC-2022-269 │ │ │ │ │ │
│ https://osv.dev/GHSA-mrwq-x4v8-fh7p │ 5.5 │ PyPI │ pygments │ 2.11.2 │ requirements.txt │
│ https://osv.dev/PYSEC-2023-117 │ │ │ │ │ │
│ https://osv.dev/GHSA-ffqj-6fqr-9h24 │ 7.4 │ PyPI │ pyjwt │ 2.3.0 │ requirements.txt │
│ https://osv.dev/PYSEC-2022-202 │ │ │ │ │ │
│ https://osv.dev/GHSA-9wx4-h78v-vm56 │ 5.6 │ PyPI │ requests │ 2.25.1 │ requirements.txt │
│ https://osv.dev/GHSA-j8r2-6x86-q33q │ 6.1 │ PyPI │ requests │ 2.25.1 │ requirements.txt │
│ https://osv.dev/PYSEC-2023-74 │ │ │ │ │ │
│ https://osv.dev/GHSA-c2jg-hw38-jrqq │ 8.1 │ PyPI │ twisted │ 22.1.0 │ requirements.txt │
│ https://osv.dev/PYSEC-2022-195 │ │ │ │ │ │
│ https://osv.dev/GHSA-rv6r-3f5q-9rgx │ 7.5 │ PyPI │ twisted │ 22.1.0 │ requirements.txt │
│ https://osv.dev/PYSEC-2022-160 │ │ │ │ │ │
│ https://osv.dev/GHSA-vg46-2rrj-3647 │ 5.4 │ PyPI │ twisted │ 22.1.0 │ requirements.txt │
│ https://osv.dev/GHSA-xc8x-vp79-p3wm │ 5.3 │ PyPI │ twisted │ 22.1.0 │ requirements.txt │
│ https://osv.dev/PYSEC-2023-224 │ │ │ │ │ │
│ https://osv.dev/GHSA-34jh-p97f-mpxf │ 4.4 │ PyPI │ urllib3 │ 1.26.5 │ requirements.txt │
│ https://osv.dev/GHSA-g4mx-q9vg-27p4 │ 4.2 │ PyPI │ urllib3 │ 1.26.5 │ requirements.txt │
│ https://osv.dev/PYSEC-2023-212 │ │ │ │ │ │
│ https://osv.dev/GHSA-v845-jxx5-vc9f │ 8.1 │ PyPI │ urllib3 │ 1.26.5 │ requirements.txt │
│ https://osv.dev/PYSEC-2023-192 │ │ │ │ │ │
│ https://osv.dev/GHSA-jfmj-5v4g-7637 │ 6.9 │ PyPI │ zipp │ 1.0.0 │ requirements.txt │
╰─────────────────────────────────────┴──────┴───────────┴──────────────┴───────────┴──────────────────╯
Nothing is told about this pymocks package.
I tried with different expressions: pymocks==0.0.1, pymocks etc. but it never got detected.
As this package is globally malicious, its detection should not need a version string: the sole presence of the package name in a lockfile should be enough to detect it !
Cheers!