fix: Improve OSV source version handling for ecosystem-specific formats#5503
fix: Improve OSV source version handling for ecosystem-specific formats#5503VanitasCodes wants to merge 2 commits intoossf:mainfrom
Conversation
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
from
7910e56 to
b50e4c8
Compare
There was a problem hiding this comment.
Pull request overview
This PR fixes incorrect handling of product versions from OSV source data by addressing ecosystem-specific version formats. The main issue was that ecosystem-specific version strings (like Debian's 1:9.2p1-2) were being stored directly in the database, breaking version comparisons against upstream versions.
Changes:
- Adds ecosystem filtering to skip Android and Linux ecosystems where version formats don't correspond to upstream package versions
- Implements version normalization for Debian (strips epoch and revision) and Alpine (strips release suffix) formats
- Fixes duplicate ranges bug by creating separate entries for each introduced/fixed pair instead of overwriting
- Improves range selection logic to prefer SEMVER over ECOSYSTEM ranges and fall back to versions list when fix information is absent
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| cve_bin_tool/data_sources/osv_source.py | Implements ecosystem filtering, version normalization, and improved range handling logic |
| test/test_source_osv.py | Updates test expectations and adds comprehensive test coverage for version normalization and ecosystem handling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
from
b50e4c8 to
452cf11
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@ffontaine I was wondering if you could have a look at this one and see if I need to make any adjustments. |
|
This should generally wait until the more foundational changes are done in #4956 and then be rebased on top of it. |
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
from
452cf11 to
32ddfc2
Compare
|
#4956 has been merged, rebase is needed to fix conflicts |
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
2 times, most recently
from
25772df to
6b31545
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
from
6b31545 to
e50f6e4
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
from
e50f6e4 to
ce5bd86
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
from
ce5bd86 to
f7a828f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
from
f7a828f to
b225458
Compare
|
@alex-ter Ready for review. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
2 times, most recently
from
343b3e3 to
4099e91
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alex-ter
left a comment
alex-ter
left a comment
There was a problem hiding this comment.
One minor comment inline, otherwise LGTM by inspection.
Signed-off-by: Vishwajeet Singh <mit.vs.krishna@gmail.com>
VanitasCodes
force-pushed
the
fix/osv-ecosystem-version-handling
branch
from
4099e91 to
3885804
Compare
|
@alex-ter Addressed the change, ready for review. |
|
@ffontaine The CI failures here are unrelated to my changes. I only removed two redundant lines and these failures weren't present when I last pushed. The |
|
To fix check-spelling, a bump to version 0.0.26 is needed (see https://docs.check-spelling.dev/Feature:-Restricted-Permissions). I'll then update your branch |
Summary
Fixes incorrect handling of product versions from OSV source data by addressing ecosystem-specific version formats.
Fixes #3201
Related: #4953, #4954
Changes
The main issue was that ecosystem-specific version strings (like Debian's
1:9.2p1-2) were being stored directly in the database, which broke version comparisons against upstream versions like9.6p1.This PR:
12L:2022-09-01for expat)1:9.2p1-2→9.2p1)2.4.1-r0→2.4.1)versionslist when range events don't have fix informationTesting
Updated the existing
test_format_dataexpectations and added two new test classes covering version normalization and ecosystem handling.