Skip to content

Fix OSV to handle affected_packages correctly & add support to collect commits #2080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ziadhany merged 14 commits into from
Jan 27, 2026
Merged

Fix OSV to handle affected_packages correctly & add support to collect commits #2080

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
07edf7d
Fix OSV to handel affected_packages correctly
ziadhany Dec 23, 2025
85f8771
Add more tests.
ziadhany Dec 23, 2025
f06fe18
Fix the test for osv pipelines
ziadhany Dec 23, 2025
308917f
Fix the test for osv pipelines
ziadhany Dec 24, 2025
0108c01
Update OSV migration file
ziadhany Dec 24, 2025
5b95c3a
Update OSV to simplify the affected/fixed package constraints
ziadhany Dec 24, 2025
142dbc0
Avoid mixing explicit affected packages with last known affected rang…
ziadhany Dec 26, 2025
f911eea
Update OSV to catch error constraints correctly
ziadhany Dec 30, 2025
d11e07d
Add a test to ensure invalid versions are skipped
ziadhany Dec 31, 2025
45a43c0
Add a test to ensure that OSS-Fuzz uses the explicit versions correctly
ziadhany Dec 31, 2025
8ec85fa
Drop old migration file
ziadhany Jan 1, 2026
8a2e0e8
Update OSV affected_version_range to prioritize explicit versions, th…
ziadhany Jan 13, 2026
9d4e505
Move importers/osv_v2.py to pipes/osv_v2.py
ziadhany Jan 21, 2026
49b0a39
Merge branch 'main' into osv-migration
ziadhany Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update OSV to simplify the affected/fixed package constraints 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
  • Loading branch information
@ziadhany
ziadhany committed Jan 1, 2026
commit 5b95c3a4db5847782af1c2de0005100b4ba18670
9 changes: 7 additions & 2 deletions vulnerabilities/importers/osv_v2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
from cvss.exceptions import CVSS4MalformedError
from packageurl import PackageURL
from univers.version_constraint import VersionConstraint
from univers.version_constraint import simplify_constraints
from univers.version_range import RANGE_CLASS_BY_SCHEMES
from univers.versions import InvalidVersion
from univers.versions import SemverVersion
Expand Down Expand Up @@ -142,14 +143,18 @@ def parse_advisory_data_v3(
affected_version_range = None
if affected_constraints:
try:
affected_version_range = version_range_class(constraints=affected_constraints)
affected_version_range = version_range_class(
constraints=simplify_constraints(affected_constraints)
)
except Exception as e:
logger.error(f"Failed to build VersionRange for {advisory_id}: {e}")

fixed_version_range = None
if fixed_constraints:
try:
fixed_version_range = version_range_class(constraints=fixed_constraints)
fixed_version_range = version_range_class(
constraints=simplify_constraints(fixed_constraints)
)
except Exception as e:
logger.error(f"Failed to build VersionRange for {advisory_id}: {e}")

Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/tests/test_data/osv_test/pypa/pypa-expected-2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"qualifiers": "",
"subpath": ""
},
"affected_version_range": "vers:pypi/0.0.1|0.0.2|0.0.3|0.1.0|0.2.0|0.2.1|0.3.0|0.3.1|0.3.2|0.4.0|0.4.1|0.4.2|0.4.3|0.5.0|0.5.1|0.5.2|0.5.3|0.5.4|0.6.0|0.7.0|1.0.0|1.0.1|1.1.0|1.1.1|1.1.2|1.1.3|1.1.4|1.1.5|1.2.2|1.3.3|1.4.1|1.5.1|1.6.0|1.7.0|2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.0.5|2.1.0|2.2.0a0|2.2.0|2.2.1|2.2.2|2.2.3|<2.3.0",
"affected_version_range": "vers:pypi/0.0.1|0.0.2|0.0.3|0.1.0|0.2.0|0.2.1|0.3.0|0.3.1|0.3.2|0.4.0|0.4.1|0.4.2|0.4.3|0.5.0|0.5.1|0.5.2|0.5.3|0.5.4|0.6.0|0.7.0|1.0.0|1.0.1|1.1.0|1.1.1|1.1.2|1.1.3|1.1.4|1.1.5|1.2.2|1.3.3|1.4.1|1.5.1|1.6.0|1.7.0|2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.0.5|2.1.0|2.2.0a0|2.2.0|2.2.1|2.2.2|<2.3.0",
"fixed_version_range": "vers:pypi/2.3.0",
"introduced_by_commit_patches": [
{
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/tests/test_data/osv_test/pypa/pypa-expected-3.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"qualifiers": "",
"subpath": ""
},
"affected_version_range": "vers:pypi/0.1|0.2|0.3|0.4|0.4.1|0.4.2|0.4.3|0.4.4|0.5.0|0.6.0|0.6.1|0.6.2|0.6.3|0.6.4|0.6.5|0.7.0|0.7.1|0.7.2|0.7.3|0.8.0|0.8.1|0.8.2|0.8.3|0.8.4|0.9.0|0.9.1|0.9.2|0.9.3|0.10.0|0.10.1|0.10.2|0.11.0|0.12.0|0.13.0|0.13.1|0.14.0|0.14.1|0.14.2|0.14.3|0.14.4|0.15.0|0.15.1|0.15.2|0.15.3|0.16.0|0.16.1|0.16.2|0.16.3|0.16.4|0.16.5|0.16.6|0.17.0|0.17.1|0.17.2|0.17.3|0.17.4|0.18.0|0.18.1|0.18.2|0.18.3|0.18.4|0.19.0|0.20.0|0.20.1|0.20.2|0.21.0|0.21.1|0.21.2|0.21.4|0.21.5|0.21.6|0.22.0a0|0.22.0b0|0.22.0b1|0.22.0b2|0.22.0b3|0.22.0b4|0.22.0b5|0.22.0b6|0.22.0|0.22.1|0.22.2|0.22.3|0.22.4|0.22.5|1.0.0|1.0.1|1.0.2|1.0.3|1.0.5|1.1.0|1.1.1|1.1.2|1.1.3|1.1.4|1.1.5|1.1.6|1.2.0|1.3.0|1.3.1|1.3.2|1.3.3|1.3.4|1.3.5|2.0.0rc1|2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.0.5|2.0.6|2.0.7|2.1.0|2.2.0|2.2.1|2.2.2|2.2.3|2.2.4|2.2.5|2.3.0a1|2.3.0a2|2.3.0a3|2.3.0a4|2.3.0|2.3.1a1|2.3.1|2.3.2b2|2.3.2b3|2.3.2|2.3.3|2.3.4|2.3.5|2.3.6|2.3.7|2.3.8|2.3.9|2.3.10|3.0.0b0|3.0.0b1|3.0.0b2|3.0.0b3|3.0.0b4|3.0.0|3.0.1|3.0.2|3.0.3|3.0.4|3.0.5|3.0.6|3.0.7|3.0.8|3.0.9|3.1.0|3.1.1|3.1.2|3.1.3|3.2.0|3.2.1|3.3.0a0|3.3.0|3.3.1|3.3.2a0|3.3.2|3.4.0a0|3.4.0a3|3.4.0b1|3.4.0b2|3.4.0|3.4.1|3.4.2|3.4.3|3.4.4|3.5.0a1|3.5.0b1|3.5.0b2|3.5.0b3|3.5.0|3.5.1|3.5.2|3.5.3|3.5.4|3.6.0a0|3.6.0a1|3.6.0a2|3.6.0a3|3.6.0a4|3.6.0a5|3.6.0a6|3.6.0a7|3.6.0a8|3.6.0a9|3.6.0a11|3.6.0a12|3.6.0b0|3.6.0|3.6.1b3|3.6.1b4|3.6.1|3.6.2a0|3.6.2a1|3.6.2a2|3.6.2|3.6.3|3.7.0b0|3.7.0b1|3.7.0|3.7.1|3.7.2|3.7.3|3.7.4|3.7.4.post0|3.8.0a7|3.8.0b0|3.8.0|3.8.1|3.8.2|3.8.3|3.8.4|3.8.5|3.8.6|3.9.0b0|3.9.0b1|3.9.0rc0|3.9.0|3.9.1|<3.9.2",
"affected_version_range": "vers:pypi/0.1|0.2|0.3|0.4|0.4.1|0.4.2|0.4.3|0.4.4|0.5.0|0.6.0|0.6.1|0.6.2|0.6.3|0.6.4|0.6.5|0.7.0|0.7.1|0.7.2|0.7.3|0.8.0|0.8.1|0.8.2|0.8.3|0.8.4|0.9.0|0.9.1|0.9.2|0.9.3|0.10.0|0.10.1|0.10.2|0.11.0|0.12.0|0.13.0|0.13.1|0.14.0|0.14.1|0.14.2|0.14.3|0.14.4|0.15.0|0.15.1|0.15.2|0.15.3|0.16.0|0.16.1|0.16.2|0.16.3|0.16.4|0.16.5|0.16.6|0.17.0|0.17.1|0.17.2|0.17.3|0.17.4|0.18.0|0.18.1|0.18.2|0.18.3|0.18.4|0.19.0|0.20.0|0.20.1|0.20.2|0.21.0|0.21.1|0.21.2|0.21.4|0.21.5|0.21.6|0.22.0a0|0.22.0b0|0.22.0b1|0.22.0b2|0.22.0b3|0.22.0b4|0.22.0b5|0.22.0b6|0.22.0|0.22.1|0.22.2|0.22.3|0.22.4|0.22.5|1.0.0|1.0.1|1.0.2|1.0.3|1.0.5|1.1.0|1.1.1|1.1.2|1.1.3|1.1.4|1.1.5|1.1.6|1.2.0|1.3.0|1.3.1|1.3.2|1.3.3|1.3.4|1.3.5|2.0.0rc1|2.0.0|2.0.1|2.0.2|2.0.3|2.0.4|2.0.5|2.0.6|2.0.7|2.1.0|2.2.0|2.2.1|2.2.2|2.2.3|2.2.4|2.2.5|2.3.0a1|2.3.0a2|2.3.0a3|2.3.0a4|2.3.0|2.3.1a1|2.3.1|2.3.2b2|2.3.2b3|2.3.2|2.3.3|2.3.4|2.3.5|2.3.6|2.3.7|2.3.8|2.3.9|2.3.10|3.0.0b0|3.0.0b1|3.0.0b2|3.0.0b3|3.0.0b4|3.0.0|3.0.1|3.0.2|3.0.3|3.0.4|3.0.5|3.0.6|3.0.7|3.0.8|3.0.9|3.1.0|3.1.1|3.1.2|3.1.3|3.2.0|3.2.1|3.3.0a0|3.3.0|3.3.1|3.3.2a0|3.3.2|3.4.0a0|3.4.0a3|3.4.0b1|3.4.0b2|3.4.0|3.4.1|3.4.2|3.4.3|3.4.4|3.5.0a1|3.5.0b1|3.5.0b2|3.5.0b3|3.5.0|3.5.1|3.5.2|3.5.3|3.5.4|3.6.0a0|3.6.0a1|3.6.0a2|3.6.0a3|3.6.0a4|3.6.0a5|3.6.0a6|3.6.0a7|3.6.0a8|3.6.0a9|3.6.0a11|3.6.0a12|3.6.0b0|3.6.0|3.6.1b3|3.6.1b4|3.6.1|3.6.2a0|3.6.2a1|3.6.2a2|3.6.2|3.6.3|3.7.0b0|3.7.0b1|3.7.0|3.7.1|3.7.2|3.7.3|3.7.4|3.7.4.post0|3.8.0a7|3.8.0b0|3.8.0|3.8.1|3.8.2|3.8.3|3.8.4|3.8.5|3.8.6|3.9.0b0|3.9.0b1|3.9.0rc0|3.9.0|<3.9.2",
"fixed_version_range": "vers:pypi/3.9.2",
"introduced_by_commit_patches": [
{
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/tests/test_data/osv_test/pypa/pypa-expected-6.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"qualifiers": "",
"subpath": ""
},
"affected_version_range": "vers:pypi/0.1|0.2|0.3|0.3.1|0.4|0.4.1|0.5|0.6|0.7|0.8|0.8.1|0.8.2|0.8.3|0.8.4|0.8.5|0.8.6|0.8.7|0.8.8|0.8.9|0.8.10|1.0b1|1.0b2|1.0rc1|1.0rc2|1.0|1.1rc1|1.1|1.2rc1|1.2|1.3rc1|1.3|1.3.1|1.4rc1|1.4|1.4.1|1.4.2|1.4.3|1.4.4|1.4.5|1.4.6|1.5rc1|1.5|1.5.1|1.5.2|1.5.3|1.6rc1|1.6|1.6.1|1.6.2|1.6.3|1.7rc1|1.7|1.8rc1|1.8|1.8.1|1.8.2|1.9rc1|1.9|1.9.1|1.10rc1|1.10|1.10.1|1.11rc1|1.11|1.11.1|1.12rc1|1.12|1.12.1|1.12.2|1.12.3|1.12.4|1.12.5|1.12.6|1.13rc1|1.13|1.13.1|1.13.2|1.13.3|1.13.4|2.0b1|2.0rc1|2.0|2.0.1|2.0.2|2.1rc1|2.1rc2|2.1|2.1.1|2.1.2|2.1.3|2.2rc1|2.2rc2|2.2|2.2.1|2.2.2|2.3rc1|2.3rc2|2.3|2.4rc1|2.4|2.5rc1|2.5|2.5.1|2.5.2|2.6rc1|2.6|2.6.1|2.6.2|2.6.3|2.7rc1|2.7rc2|2.7|2.7.1|2.7.2|2.7.3|2.7.4|2.8rc1|2.8|2.8.1|2.8.2|2.9rc1|2.9|2.9.1|2.9.2|2.9.3|2.10rc1|2.10rc2|2.10|2.10.1|2.10.2|2.11rc1|2.11|2.11.1|2.11.2|2.11.3|2.11.4|2.11.5|2.11.6|2.11.7|2.11.8|2.11.9|2.12rc1|2.12|2.12.1|2.12.2|2.12.3|2.12.4|2.12.5|2.12.6|2.13rc1|2.13rc2|2.13rc3|2.13|2.13.1|2.13.2|2.13.3|2.13.4|2.13.5|2.14rc1|2.14|2.14.1|2.14.2|2.15rc1|2.15rc2|2.15|2.15.1|2.15.2|2.15.3|2.15.4|2.15.5|2.15.6|2.16rc1|2.16rc2|2.16|2.16.1|2.16.2|2.16.3|3.0rc1|3.0rc2|3.0rc3|3.0|3.0.1|3.0.2|3.0.3|4.0rc1|4.0rc2|4.0|4.0.1|4.0.2|4.0.3|4.0.4|4.1rc1|4.1|4.1.1|4.1.2|4.1.3|<4.1.4|4.2|>=4.2|4.2.1|<4.2.2",
"affected_version_range": "vers:pypi/0.1|0.2|0.3|0.3.1|0.4|0.4.1|0.5|0.6|0.7|0.8|0.8.1|0.8.2|0.8.3|0.8.4|0.8.5|0.8.6|0.8.7|0.8.8|0.8.9|0.8.10|1.0b1|1.0b2|1.0rc1|1.0rc2|1.0|1.1rc1|1.1|1.2rc1|1.2|1.3rc1|1.3|1.3.1|1.4rc1|1.4|1.4.1|1.4.2|1.4.3|1.4.4|1.4.5|1.4.6|1.5rc1|1.5|1.5.1|1.5.2|1.5.3|1.6rc1|1.6|1.6.1|1.6.2|1.6.3|1.7rc1|1.7|1.8rc1|1.8|1.8.1|1.8.2|1.9rc1|1.9|1.9.1|1.10rc1|1.10|1.10.1|1.11rc1|1.11|1.11.1|1.12rc1|1.12|1.12.1|1.12.2|1.12.3|1.12.4|1.12.5|1.12.6|1.13rc1|1.13|1.13.1|1.13.2|1.13.3|1.13.4|2.0b1|2.0rc1|2.0|2.0.1|2.0.2|2.1rc1|2.1rc2|2.1|2.1.1|2.1.2|2.1.3|2.2rc1|2.2rc2|2.2|2.2.1|2.2.2|2.3rc1|2.3rc2|2.3|2.4rc1|2.4|2.5rc1|2.5|2.5.1|2.5.2|2.6rc1|2.6|2.6.1|2.6.2|2.6.3|2.7rc1|2.7rc2|2.7|2.7.1|2.7.2|2.7.3|2.7.4|2.8rc1|2.8|2.8.1|2.8.2|2.9rc1|2.9|2.9.1|2.9.2|2.9.3|2.10rc1|2.10rc2|2.10|2.10.1|2.10.2|2.11rc1|2.11|2.11.1|2.11.2|2.11.3|2.11.4|2.11.5|2.11.6|2.11.7|2.11.8|2.11.9|2.12rc1|2.12|2.12.1|2.12.2|2.12.3|2.12.4|2.12.5|2.12.6|2.13rc1|2.13rc2|2.13rc3|2.13|2.13.1|2.13.2|2.13.3|2.13.4|2.13.5|2.14rc1|2.14|2.14.1|2.14.2|2.15rc1|2.15rc2|2.15|2.15.1|2.15.2|2.15.3|2.15.4|2.15.5|2.15.6|2.16rc1|2.16rc2|2.16|2.16.1|2.16.2|2.16.3|3.0rc1|3.0rc2|3.0rc3|3.0|3.0.1|3.0.2|3.0.3|4.0rc1|4.0rc2|4.0|4.0.1|4.0.2|4.0.3|4.0.4|4.1rc1|4.1|4.1.1|4.1.2|4.1.3|<4.1.4|4.2|>=4.2",
"fixed_version_range": "vers:pypi/4.1.4|4.2.2",
"introduced_by_commit_patches": [
{
Expand Down