internal/database: fix bug in latestFixedVersion

Fixes a bug in which latest fixed version was computed incorrectly when a vuln was re-introduced and never subsequently fixed. (This is an uncommon case, and never appeared in our actual database). Also adds a test for this case. Change-Id: I7a88f16a4fef079d8bb23f6a2e9ffd7dd57db30a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/487455 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
golang · Apr 21, 2023 · 5d77d40 · 5d77d40
1 parent 4a4e065
commit 5d77d40
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 4 deletions.
diff --git a/internal/database/new.go b/internal/database/new.go
@@ -83,12 +83,20 @@ func (v *VulnsIndex) add(entry osv.Entry) error {
 func latestFixedVersion(ranges []osv.Range) string {
 	var latestFixed report.Version
 	for _, r := range ranges {
-		if r.Type == "SEMVER" {
+		if r.Type == osv.RangeTypeSemver {
 			for _, e := range r.Events {
 				if fixed := report.Version(e.Fixed); fixed != "" && latestFixed.Before(fixed) {
 					latestFixed = fixed
 				}
 			}
+			// If the vulnerability was re-introduced after the latest fix
+			// we found, there is no latest fix for this range.
+			for _, e := range r.Events {
+				if introduced := report.Version(e.Introduced); introduced != "" && introduced != "0" && latestFixed.Before(introduced) {
+					latestFixed = ""
+					break
+				}
+			}
 		}
 	}
 	return string(latestFixed)

diff --git a/internal/database/new_test.go b/internal/database/new_test.go
@@ -120,7 +120,7 @@ func TestNew(t *testing.T) {
 	}
 }
 
-func TestLatestFixedVerion(t *testing.T) {
+func TestLatestFixedVersion(t *testing.T) {
 	tests := []struct {
 		name   string
 		ranges []osv.Range
@@ -144,7 +144,33 @@ func TestLatestFixedVerion(t *testing.T) {
 			want: "",
 		},
 		{
-			name: "unsorted",
+			name: "no latest fix",
+			ranges: []osv.Range{{
+				Type: osv.RangeTypeSemver,
+				Events: []osv.RangeEvent{
+					{Introduced: "0"},
+					{Fixed: "1.0.4"},
+					{Introduced: "1.1.2"},
+				},
+			}},
+			want: "",
+		},
+		{
+			name: "unsorted no latest fix",
+			ranges: []osv.Range{{
+				Type: osv.RangeTypeSemver,
+				Events: []osv.RangeEvent{
+					{Fixed: "1.0.4"},
+					{Introduced: "0"},
+					{Introduced: "1.1.2"},
+					{Introduced: "1.5.0"},
+					{Fixed: "1.1.4"},
+				},
+			}},
+			want: "",
+		},
+		{
+			name: "unsorted with fix",
 			ranges: []osv.Range{{
 				Type: osv.RangeTypeSemver,
 				Events: []osv.RangeEvent{
@@ -215,7 +241,10 @@ func TestLatestFixedVerion(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			latestFixedVersion(test.ranges)
+			got := latestFixedVersion(test.ranges)
+			if got != test.want {
+				t.Errorf("latestFixedVersion = %q, want %q", got, test.want)
+			}
 		})
 	}
 }