Skip to content

Commit b64e837

Browse files
sayjun0505sayjun0505
committed
osv: don't prefix semver strings
In order to match the current state of the public vulnerability format, don't prefix SEMVER strings with 'v' or 'go' so that they are valid. Also update osv.Affects.AffectsSemver so that it can take SEMVER strings which either do or don't have the prefix. Change-Id: I879f5c0387338290fe0aaa7ab8391e1c19de681e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/326489 Trust: Roland Shoemaker <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Filippo Valsorda <[email protected]>
1 parent 57c1a3e commit b64e837

File tree

2 files changed

+58
-25
lines changed

2 files changed

+58
-25
lines changed

osv/json.go

Lines changed: 27 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
package osv
2323

2424
import (
25+
"strings"
2526
"time"
2627

2728
"golang.org/x/mod/semver"
@@ -58,26 +59,48 @@ type AffectsRange struct {
5859
Fixed string `json:"fixed"`
5960
}
6061

62+
// addSemverPrefix adds a 'v' prefix to s if it isn't already prefixed
63+
// with 'v' or 'go'. This allows us to easily test go-style SEMVER
64+
// strings against normal SEMVER strings.
65+
func addSemverPrefix(s string) string {
66+
if !strings.HasPrefix(s, "v") && !strings.HasPrefix(s, "go") {
67+
return "v" + s
68+
}
69+
return s
70+
}
71+
6172
func (ar AffectsRange) containsSemver(v string) bool {
6273
if ar.Type != TypeSemver {
6374
return false
6475
}
6576

66-
return (ar.Introduced == "" || semver.Compare(v, ar.Introduced) >= 0) &&
67-
(ar.Fixed == "" || semver.Compare(v, ar.Fixed) < 0)
77+
// Strip and then add the semver prefix so we can support bare versions,
78+
// versions prefixed with 'v', and versions prefixed with 'go'.
79+
v = addSemverPrefix(removeSemverPrefix(v))
80+
81+
return (ar.Introduced == "" || semver.Compare(v, addSemverPrefix(ar.Introduced)) >= 0) &&
82+
(ar.Fixed == "" || semver.Compare(v, addSemverPrefix(ar.Fixed)) < 0)
6883
}
6984

7085
type Affects struct {
7186
Ranges []AffectsRange `json:"ranges,omitempty"`
7287
}
7388

89+
// removeSemverPrefix removes the 'v' or 'go' prefixes from go-style
90+
// SEMVER strings, for usage in the public vulnerability format.
91+
func removeSemverPrefix(s string) string {
92+
s = strings.TrimPrefix(s, "v")
93+
s = strings.TrimPrefix(s, "go")
94+
return s
95+
}
96+
7497
func generateAffects(versions []report.VersionRange) Affects {
7598
a := Affects{}
7699
for _, v := range versions {
77100
a.Ranges = append(a.Ranges, AffectsRange{
78101
Type: TypeSemver,
79-
Introduced: v.Introduced,
80-
Fixed: v.Fixed,
102+
Introduced: removeSemverPrefix(v.Introduced),
103+
Fixed: removeSemverPrefix(v.Fixed),
81104
})
82105
}
83106
return a

osv/json_test.go

Lines changed: 31 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -57,16 +57,16 @@ func TestGenerate(t *testing.T) {
5757
Ranges: []AffectsRange{
5858
{
5959
Type: TypeSemver,
60-
Fixed: "v2.1.1",
60+
Fixed: "2.1.1",
6161
},
6262
{
6363
Type: TypeSemver,
64-
Introduced: "v2.3.4",
65-
Fixed: "v2.3.5",
64+
Introduced: "2.3.4",
65+
Fixed: "2.3.5",
6666
},
6767
{
6868
Type: TypeSemver,
69-
Introduced: "v2.5.0",
69+
Introduced: "2.5.0",
7070
},
7171
},
7272
},
@@ -96,16 +96,16 @@ func TestGenerate(t *testing.T) {
9696
Ranges: []AffectsRange{
9797
{
9898
Type: TypeSemver,
99-
Fixed: "v2.1.1",
99+
Fixed: "2.1.1",
100100
},
101101
{
102102
Type: TypeSemver,
103-
Introduced: "v2.3.4",
104-
Fixed: "v2.3.5",
103+
Introduced: "2.3.4",
104+
Fixed: "2.3.5",
105105
},
106106
{
107107
Type: TypeSemver,
108-
Introduced: "v2.5.0",
108+
Introduced: "2.5.0",
109109
},
110110
},
111111
},
@@ -146,7 +146,7 @@ func TestAffectsSemver(t *testing.T) {
146146
// v1.0.0 < v2.0.0
147147
affects: Affects{
148148
Ranges: []AffectsRange{
149-
{Type: TypeSemver, Fixed: "v2.0.0"},
149+
{Type: TypeSemver, Fixed: "2.0.0"},
150150
},
151151
},
152152
version: "v1.0.0",
@@ -156,7 +156,7 @@ func TestAffectsSemver(t *testing.T) {
156156
// v0.0.1 <= v1.0.0
157157
affects: Affects{
158158
Ranges: []AffectsRange{
159-
{Type: TypeSemver, Introduced: "v0.0.1"},
159+
{Type: TypeSemver, Introduced: "0.0.1"},
160160
},
161161
},
162162
version: "v1.0.0",
@@ -166,7 +166,7 @@ func TestAffectsSemver(t *testing.T) {
166166
// v1.0.0 <= v1.0.0
167167
affects: Affects{
168168
Ranges: []AffectsRange{
169-
{Type: TypeSemver, Introduced: "v1.0.0"},
169+
{Type: TypeSemver, Introduced: "1.0.0"},
170170
},
171171
},
172172
version: "v1.0.0",
@@ -176,7 +176,7 @@ func TestAffectsSemver(t *testing.T) {
176176
// v1.0.0 <= v1.0.0 < v2.0.0
177177
affects: Affects{
178178
Ranges: []AffectsRange{
179-
{Type: TypeSemver, Introduced: "v1.0.0", Fixed: "v2.0.0"},
179+
{Type: TypeSemver, Introduced: "1.0.0", Fixed: "2.0.0"},
180180
},
181181
},
182182
version: "v1.0.0",
@@ -186,7 +186,7 @@ func TestAffectsSemver(t *testing.T) {
186186
// v0.0.1 <= v1.0.0 < v2.0.0
187187
affects: Affects{
188188
Ranges: []AffectsRange{
189-
{Type: TypeSemver, Introduced: "v0.0.1", Fixed: "v2.0.0"},
189+
{Type: TypeSemver, Introduced: "0.0.1", Fixed: "2.0.0"},
190190
},
191191
},
192192
version: "v1.0.0",
@@ -196,7 +196,7 @@ func TestAffectsSemver(t *testing.T) {
196196
// v2.0.0 < v3.0.0
197197
affects: Affects{
198198
Ranges: []AffectsRange{
199-
{Type: TypeSemver, Introduced: "v1.0.0", Fixed: "v2.0.0"},
199+
{Type: TypeSemver, Introduced: "1.0.0", Fixed: "2.0.0"},
200200
},
201201
},
202202
version: "v3.0.0",
@@ -206,8 +206,8 @@ func TestAffectsSemver(t *testing.T) {
206206
// Multiple ranges
207207
affects: Affects{
208208
Ranges: []AffectsRange{
209-
{Type: TypeSemver, Introduced: "v1.0.0", Fixed: "v2.0.0"},
210-
{Type: TypeSemver, Introduced: "v3.0.0"},
209+
{Type: TypeSemver, Introduced: "1.0.0", Fixed: "2.0.0"},
210+
{Type: TypeSemver, Introduced: "3.0.0"},
211211
},
212212
},
213213
version: "v3.0.0",
@@ -217,7 +217,7 @@ func TestAffectsSemver(t *testing.T) {
217217
// Wrong type range
218218
affects: Affects{
219219
Ranges: []AffectsRange{
220-
{Type: TypeUnspecified, Introduced: "v3.0.0"},
220+
{Type: TypeUnspecified, Introduced: "3.0.0"},
221221
},
222222
},
223223
version: "v3.0.0",
@@ -227,8 +227,8 @@ func TestAffectsSemver(t *testing.T) {
227227
// Semver ranges don't match
228228
affects: Affects{
229229
Ranges: []AffectsRange{
230-
{Type: TypeUnspecified, Introduced: "v3.0.0"},
231-
{Type: TypeSemver, Introduced: "v4.0.0"},
230+
{Type: TypeUnspecified, Introduced: "3.0.0"},
231+
{Type: TypeSemver, Introduced: "4.0.0"},
232232
},
233233
},
234234
version: "v3.0.0",
@@ -238,13 +238,23 @@ func TestAffectsSemver(t *testing.T) {
238238
// Semver ranges do match
239239
affects: Affects{
240240
Ranges: []AffectsRange{
241-
{Type: TypeUnspecified, Introduced: "v3.0.0"},
242-
{Type: TypeSemver, Introduced: "v3.0.0"},
241+
{Type: TypeUnspecified, Introduced: "3.0.0"},
242+
{Type: TypeSemver, Introduced: "3.0.0"},
243243
},
244244
},
245245
version: "v3.0.0",
246246
want: true,
247247
},
248+
{
249+
// Semver ranges match (go prefix)
250+
affects: Affects{
251+
Ranges: []AffectsRange{
252+
{Type: TypeSemver, Introduced: "3.0.0"},
253+
},
254+
},
255+
version: "go3.0.1",
256+
want: true,
257+
},
248258
}
249259

250260
for _, c := range cases {

0 commit comments

Comments
 (0)