-
Notifications
You must be signed in to change notification settings - Fork 187
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(nvd-cve-osv): handle the edge case of a valid repo reference (#2678)
The repo caching validates repos are usable for tag to commit mapping (i.e. they have tags) before adding them. It's possible that a CVE has a commit reference for a repo with no tags (but it's usable as-is because we assume the commit is a Fixed commit). These repos were not being added to the repo cache, but the repo cache was being used as a short cut by subsequent calls to `ReposFromReferences()`, overwriting the internal state on what repos were known for a CVE with multiple CPEs. This meant that for CVE-2024-45313, which has multiple CPE entries: - the `Fixed` commit was being extracted as a reference (as desired) - the full set of known repos was not being cached - the versions also extracted didn't resolve (as can happen) - the CVE was being rejected as having no Fixed commits (because these are searched for repo, from the set of *expected* repos, which was being overwritten by the cache hit on the second iteration through the CPEs) This meant that CVE-2024-45313 initially successfully converted before the NVD analyzed it, but started failing to convert after the NVD added CPEs.
- Loading branch information
1 parent
1adae75
commit 3508bb4
Showing
2 changed files
with
79 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters