internal/report: change behavior of guessVulnerableAt when no fix

tatianab · tatianab · commit 207b5b960e9c · 2023-08-28T17:17:39.000Z
The function guessVulnerableAt now returns an error if the given version ranges are invalid. This avoids unexpected behavior such as successfully returning the latest version of a module when there is no fix, but the introduced version isn't actually understood by the proxy. Change-Id: I742ef108f1902936c64aa8fdca1d3ed4847d640d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/522296 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml b/internal/genericosv/testdata/yaml/GHSA-54q4-74p3-mgcw.yaml
@@ -3,7 +3,6 @@ modules:
     - module: github.com/zhaojh329/rttys
       versions:
         - introduced: 4.0.0
-      vulnerable_at: 1.1.0
 summary: rttys SQL Injection vulnerability
 description: |-
     SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, and 4.0.2 in api.go,
@@ -19,4 +18,3 @@ references:
 notes:
     - 'create: unsupported version range event models.Event{Introduced:"", Fixed:"", LastAffected:"4.0.2", Limit:""}'
     - 'lint: github.com/zhaojh329/rttys: bad version "4.0.0": github.com/zhaojh329/rttys@v4.0.0: invalid version: should be v0 or v1, not v4'
-    - 'lint: github.com/zhaojh329/rttys: vulnerable_at version 1.1.0 is not inside vulnerable range'
diff --git a/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml b/internal/genericosv/testdata/yaml/GHSA-7fxj-fr3v-r9gj.yaml
@@ -5,7 +5,6 @@ modules:
     - module: github.com/pingcap/tidb
       versions:
         - introduced: 6.2.0
-      vulnerable_at: 1.0.9
 summary: TiDB vulnerable to Use of Externally-Controlled Format String
 description: |-
     TiDB server (importer CLI tool) prior to version 6.4.0 & 6.1.3 is vulnerable to
@@ -26,4 +25,3 @@ notes:
     - 'create: unsupported version range event models.Event{Introduced:"", Fixed:"", LastAffected:"6.1.2", Limit:""}'
     - 'create: unsupported version range event models.Event{Introduced:"", Fixed:"", LastAffected:"6.4.0-alpha1", Limit:""}'
     - 'lint: github.com/pingcap/tidb: bad version "6.2.0": github.com/pingcap/tidb@v6.2.0: invalid version: should be v0 or v1, not v6'
-    - 'lint: github.com/pingcap/tidb: vulnerable_at version 1.0.9 is not inside vulnerable range'
diff --git a/internal/report/fix.go b/internal/report/fix.go
@@ -11,6 +11,7 @@ import (
 	"sort"
 	"strings"
 
+	"golang.org/x/vulndb/internal/osvutils"
 	"golang.org/x/vulndb/internal/proxy"
 	"golang.org/x/vulndb/internal/version"
 )
@@ -125,7 +126,16 @@ func (m *Module) guessVulnerableAt(pc proxyClient) (string, error) {
 	if fixed == "" {
 		latest, err := pc.Latest(m.Module)
 		if err != nil || latest == "" {
-			return "", fmt.Errorf("could not find latest version from proxy: %s", err)
+			return "", fmt.Errorf("no fix, but could not find latest version from proxy: %s", err)
+		}
+
+		// Make sure the latest version is actually in the vulnerable range.
+		// This may not be the case if the proxy doesn't recognize the affected versions.
+		affected, err := osvutils.AffectsSemver(AffectedRanges(m.Versions), latest)
+		if err != nil {
+			return "", err
+		} else if !affected {
+			return "", fmt.Errorf("no fix, but latest version %s is not inside vulnerable range", latest)
 		}
 
 		return latest, nil
