Similar to #99 for GO feeds (#200)

prabhu · web-flow · commit 35f9e888ef6e · 2024-12-17T14:18:27.000Z
Signed-off-by: Prabhu Subramanian &lt;prabhu@appthreat.com&gt;
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "6.2.1"
+version = "6.2.2"
 description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
diff --git a/test/data/GO-2022-0251.json b/test/data/GO-2022-0251.json
@@ -3,8 +3,7 @@
   "summary": "Panic on NUL character in ROA in github.com/cloudflare/cfrpki",
   "details": "OctoRPKI crashes when a repository returns an invalid ROA that is only an encoded NUL character (\\0).",
   "aliases": [
-    "CVE-2021-3910",
-    "GHSA-5mxh-2qfv-4g7j"
+    "CVE-2021-3910"
   ],
   "modified": "2024-05-20T16:03:47Z",
   "published": "2022-07-15T23:07:28Z",
diff --git a/test/data/GO-2022-0646.json b/test/data/GO-2022-0646.json
@@ -4,9 +4,7 @@
     "modified": "2022-11-21T19:50:45Z",
     "aliases": [
       "CVE-2020-8911",
-      "CVE-2020-8912",
-      "GHSA-7f33-f4f5-xwgw",
-      "GHSA-f5pg-7wfw-84q9"
+      "CVE-2020-8912"
     ],
     "details": "The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.\n\nFiles encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until reencrypted with the new client.",
     "affected": [
diff --git a/vdb/lib/osv.py b/vdb/lib/osv.py
@@ -124,11 +124,10 @@ def to_vuln(cve_data):
         # Offer an option to ignore malware data to keep the db size small
         if getenv("OSV_EXCLUDE_MALWARE") and cve_id.startswith("MAL"):
             return ret_data
-        # Quality of PYSEC data is quite low missing both severity and score
-        # Where a PYSEC feed also reference a github id, let's ignore it since G comes before P
-        #   so it would have gotten processed
+        # Quality of PYSEC and GO data are quite low missing both severity and score
+        # Where a PYSEC or GO feed also reference a github id, let's ignore it
         # Fixes #99
-        if cve_id.startswith("PYSEC"):
+        if cve_id.startswith("PYSEC") or cve_id.startswith("GO-"):
             for i in aliases:
                 if i.startswith("GHSA"):
                     return ret_data
