OSV to vers conversion was missing the min including version (#220)

prabhu · bandhan-majumder · web-flow · commit 5d837c698a25 · 2025-07-06T09:41:02.000+01:00
Signed-off-by: Prabhu Subramanian &lt;prabhu@appthreat.com&gt;
Signed-off-by: Bandhan Majumder &lt;133476557+bandhan-majumder@users.noreply.github.com&gt;
Co-authored-by: Bandhan Majumder &lt;133476557+bandhan-majumder@users.noreply.github.com&gt;
diff --git a/test/data/osv-pypi-django.json b/test/data/osv-pypi-django.json
@@ -0,0 +1 @@
+{"id":"GHSA-2gwj-7jmv-h26r","summary":"SQL Injection in Django","details":"An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. `QuerySet.annotate()`, `aggregate()`, and `extra()` methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed `**kwargs`.","aliases":["BIT-django-2022-28346","CVE-2022-28346","PYSEC-2022-190"],"modified":"2025-02-21T05:41:10.759178Z","published":"2022-04-13T00:00:33Z","database_specific":{"github_reviewed_at":"2022-04-22T20:33:03Z","github_reviewed":true,"severity":"CRITICAL","cwe_ids":["CWE-89"],"nvd_published_at":"2022-04-12T05:15:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28346"},{"type":"WEB","url":"https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48"},{"type":"WEB","url":"https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d"},{"type":"WEB","url":"https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60"},{"type":"WEB","url":"https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200"},{"type":"WEB","url":"https://docs.djangoproject.com/en/4.0/releases/security"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-2gwj-7jmv-h26r"},{"type":"PACKAGE","url":"https://github.com/django/django"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-190.yaml"},{"type":"WEB","url":"https://groups.google.com/forum/#!forum/django-announce"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20220609-0002"},{"type":"WEB","url":"https://www.debian.org/security/2022/dsa-5254"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2022/apr/11/security-releases"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2022/04/11/1"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2"},{"fixed":"2.2.28"}]}],"versions":["2.2","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.16","2.2.17","2.2.18","2.2.19","2.2.2","2.2.20","2.2.21","2.2.22","2.2.23","2.2.24","2.2.25","2.2.26","2.2.27","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2"},{"fixed":"3.2.13"}]}],"versions":["3.2","3.2.1","3.2.10","3.2.11","3.2.12","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0"},{"fixed":"4.0.4"}]}],"versions":["4.0","4.0.1","4.0.2","4.0.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}
diff --git a/test/test_source.py b/test/test_source.py
@@ -298,6 +298,14 @@ def test_osv_mvn_single_json():
         return json.loads(fp.read())
 
 
+@pytest.fixture
+def test_osv_pypi_django_json():
+    test_cve_data = os.path.join(
+        os.path.dirname(os.path.realpath(__file__)), "data", "osv-pypi-django.json"
+    )
+    with open(test_cve_data, mode="r", encoding="utf-8") as fp:
+        return json.loads(fp.read())
+
 @pytest.fixture
 def test_aqua_alsa_json():
     test_cve_data = os.path.join(
@@ -875,12 +883,12 @@ def test_osv_convert(
     db6.clear_all()
     osvlatest.store(cve_data)
     cve_data_count, cve_index_count = db6.stats()
-    assert cve_data_count == 4
-    assert cve_index_count == 4
+    assert cve_data_count == 5
+    assert cve_index_count == 5
     results_count = len(list(search.search_by_any("CVE-2020-8022")))
     assert results_count == 0
     results_count = len(list(search.search_by_any("CVE-2019-0647")))
-    assert results_count == 4
+    assert results_count == 5
     results_count = len(
         list(search.search_by_any("pkg:maven/org.springframework/spring-web"))
     )
@@ -1112,6 +1120,22 @@ def test_osv_mal_convert(test_osv_mal_json, test_osv_mal2_json):
     assert len(cve_data) == 1
 
 
+def test_osv_pypi_django_convert(test_osv_pypi_django_json):
+    osvlatest = OSVSource()
+    cve_data = osvlatest.convert(test_osv_pypi_django_json)
+    assert len(cve_data) == 3
+    db6.clear_all()
+    osvlatest.store(cve_data)
+    cve_data_count, cve_index_count = db6.stats()
+    assert cve_data_count == 3
+    assert cve_index_count == 3
+    results = list(search.search_by_any("CVE-2022-28346"))
+    assert len(results) == 3
+    for r in results:
+        assert "vers:pypi/>=" in r.get("vers", "")
+    db6.clear_all()
+
+
 def test_aqua_convert(
     test_aqua_alsa_json,
     test_aqua_alas_json,
diff --git a/test/test_utils.py b/test/test_utils.py
@@ -947,6 +947,23 @@ def test_purl_vers_convert():
             ],
             "vers:deb/<2.36.1-8+deb11u1|!=2.36.1-8+deb11u1",
         ),
+        (
+            "pypi",
+            [
+                {
+                    "status": "affected",
+                    "versionType": "pypi",
+                    "version": "2.2",
+                    "lessThan": r"2.2.28",
+                },
+                {
+                    "version": r"2.2.28",
+                    "status": "unaffected",
+                    "versionType": "pypi",
+                }
+            ],
+            "vers:pypi/>=2.2|<2.2.28|!=2.2.28",
+        ),
     ]
     for tt in test_tuples:
         assert utils.to_purl_vers(tt[0], tt[1]) == tt[2]
diff --git a/vdb/lib/cve.py b/vdb/lib/cve.py
@@ -121,15 +121,7 @@ def to_product_versions(vendor, adetail: VulnerabilityDetail) -> list[Versions]:
                     status=Status.affected,
                 )
             )
-        if adetail.mae and adetail.mae not in ("*", "-"):
-            versions.append(
-                Versions(
-                    version=Version(adetail.mae),
-                    versionType=version_type,
-                    status=Status.unaffected,
-                )
-            )
-        elif adetail.mae:
+        if adetail.mae:
             versions.append(
                 Versions(
                     version=Version(adetail.mii),
@@ -138,6 +130,14 @@ def to_product_versions(vendor, adetail: VulnerabilityDetail) -> list[Versions]:
                     status=Status.affected,
                 )
             )
+            if adetail.mae not in ("*", "-"):
+                versions.append(
+                    Versions(
+                        version=Version(adetail.mae),
+                        versionType=version_type,
+                        status=Status.unaffected,
+                    )
+                )
             lt_captured = True
         else:
             versions.append(

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"id":"GHSA-2gwj-7jmv-h26r","summary":"SQL Injection in Django","details":"An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. `QuerySet.annotate()`, `aggregate()`, and `extra()` methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed `**kwargs`.","aliases":["BIT-django-2022-28346","CVE-2022-28346","PYSEC-2022-190"],"modified":"2025-02-21T05:41:10.759178Z","published":"2022-04-13T00:00:33Z","database_specific":{"github_reviewed_at":"2022-04-22T20:33:03Z","github_reviewed":true,"severity":"CRITICAL","cwe_ids":["CWE-89"],"nvd_published_at":"2022-04-12T05:15:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28346"},{"type":"WEB","url":"https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48"},{"type":"WEB","url":"https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d"},{"type":"WEB","url":"https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60"},{"type":"WEB","url":"https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200"},{"type":"WEB","url":"https://docs.djangoproject.com/en/4.0/releases/security"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-2gwj-7jmv-h26r"},{"type":"PACKAGE","url":"https://github.com/django/django"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-190.yaml"},{"type":"WEB","url":"https://groups.google.com/forum/#!forum/django-announce"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20220609-0002"},{"type":"WEB","url":"https://www.debian.org/security/2022/dsa-5254"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2022/apr/11/security-releases"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2022/04/11/1"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2"},{"fixed":"2.2.28"}]}],"versions":["2.2","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.16","2.2.17","2.2.18","2.2.19","2.2.2","2.2.20","2.2.21","2.2.22","2.2.23","2.2.24","2.2.25","2.2.26","2.2.27","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2"},{"fixed":"3.2.13"}]}],"versions":["3.2","3.2.1","3.2.10","3.2.11","3.2.12","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0"},{"fixed":"4.0.4"}]}],"versions":["4.0","4.0.1","4.0.2","4.0.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}