Skip to content

Commit

Permalink
Merge pull request #1350 from luhring/cga-id-validation
Browse files Browse the repository at this point in the history
fix(adv): validate that advisory IDs are CGA IDs
  • Loading branch information
luhring authored Dec 10, 2024
2 parents 658d85e + 763ff98 commit 3970377
Show file tree
Hide file tree
Showing 34 changed files with 177 additions and 91 deletions.
22 changes: 14 additions & 8 deletions pkg/advisory/diff_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@ func TestIndexDiff(t *testing.T) {
},
Advisories: v2.Advisories{
{
ID: "CVE-2023-24535",
ID: "CGA-3333-3333-3333",
Aliases: []string{"CVE-2023-24535"},
Events: []v2.Event{
{
Timestamp: v2.Timestamp(now),
Expand Down Expand Up @@ -85,7 +86,8 @@ func TestIndexDiff(t *testing.T) {
Name: "ko",
Added: v2.Advisories{
{
ID: "CVE-2023-11111",
ID: "CGA-3333-3333-3333",
Aliases: []string{"CVE-2023-1111"},
Events: []v2.Event{
{
Timestamp: v2.Timestamp(now),
Expand Down Expand Up @@ -127,9 +129,10 @@ func TestIndexDiff(t *testing.T) {
Name: "ko",
Modified: []DiffResult{
{
ID: "CVE-2023-24535",
ID: "CGA-2222-2222-2222",
Added: v2.Advisory{
ID: "CVE-2023-24535",
ID: "CGA-2222-2222-2222",
Aliases: []string{"CVE-2023-24535"},
Events: []v2.Event{
{
Timestamp: unixEpochTimestamp,
Expand All @@ -138,8 +141,9 @@ func TestIndexDiff(t *testing.T) {
},
},
Removed: v2.Advisory{
ID: "CVE-2023-24535",
ID: "CGA-2222-2222-2222",
Aliases: []string{
"CVE-2023-24535",
"GHSA-2222-2222-2222",
},
Events: []v2.Event{
Expand All @@ -163,9 +167,10 @@ func TestIndexDiff(t *testing.T) {
Name: "ko",
Modified: []DiffResult{
{
ID: "CVE-2023-11111",
ID: "CGA-3333-3333-3333",
Added: v2.Advisory{
ID: "CVE-2023-11111",
ID: "CGA-3333-3333-3333",
Aliases: []string{"CVE-2023-11111"},
Events: []v2.Event{
{
Timestamp: unixEpochTimestamp,
Expand All @@ -178,7 +183,8 @@ func TestIndexDiff(t *testing.T) {
},
},
Removed: v2.Advisory{
ID: "CVE-2023-11111",
ID: "CGA-3333-3333-3333",
Aliases: []string{"CVE-2023-11111"},
Events: []v2.Event{
{
Timestamp: unixEpochTimestamp,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2023-24535
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-24535
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,16 @@ package:
name: ko

advisories:
- id: CVE-2023-24535
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-24535
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination

- id: CVE-2023-11111
- id: CGA-3333-3333-3333
aliases:
- CVE-2023-1111
events:
- timestamp: 2023-11-11T00:00:00Z
type: true-positive-determination
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ package:
name: kaf

advisories:
- id: CVE-2023-39325
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-39325
- GHSA-4374-p667-p6c8
events:
- timestamp: 2023-10-25T23:52:38Z
type: fixed
data:
fixed-version: 0.2.6-r6
fixed-version: 0.2.6-r6
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ package:
name: kaf

advisories:
- id: CVE-2023-39325
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-39325
- GHSA-4374-p667-p6c8
events:
- timestamp: 2023-10-25T23:52:38Z
type: fixed
data:
fixed-version: 0.2.6-r6
fixed-version: 0.2.6-r6
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2023-24535
- id: CGA-3333-3333-3333
aliases:
- CVE-2023-24535
events:
- timestamp: 2023-11-11T00:00:00Z
type: true-positive-determination
type: true-positive-determination
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2023-11111
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-11111
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: nonexistent

advisories:
- id: CVE-2023-33333
- id: CGA-2323-2323-2323
aliases:
- CVE-2023-33333
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2023-11111
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-11111
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: nonexistent

advisories:
- id: CVE-2023-33333
- id: CGA-2323-2323-2323
aliases:
- CVE-2023-33333
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Expand Down
4 changes: 3 additions & 1 deletion pkg/advisory/testdata/diff/added-event/a/ko.advisories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2023-11111
- id: CGA-3333-3333-3333
aliases:
- CVE-2023-11111
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
4 changes: 3 additions & 1 deletion pkg/advisory/testdata/diff/added-event/b/ko.advisories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2023-11111
- id: CGA-3333-3333-3333
aliases:
- CVE-2023-11111
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2023-24535
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-24535
- GHSA-2222-2222-2222
events:
- timestamp: 1970-01-01T00:00:00Z
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2023-24535
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-24535
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
5 changes: 3 additions & 2 deletions pkg/advisory/testdata/diff/same/a/kaf.advisories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ package:
name: kaf

advisories:
- id: CVE-2023-39325
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-39325
- GHSA-4374-p667-p6c8
events:
- timestamp: 2023-10-25T23:52:38Z
type: fixed
data:
fixed-version: 0.2.6-r6
fixed-version: 0.2.6-r6
5 changes: 3 additions & 2 deletions pkg/advisory/testdata/diff/same/b/kaf.advisories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ package:
name: kaf

advisories:
- id: CVE-2023-39325
- id: CGA-2222-2222-2222
aliases:
- CVE-2023-39325
- GHSA-4374-p667-p6c8
events:
- timestamp: 2023-10-25T23:52:38Z
type: fixed
data:
fixed-version: 0.2.6-r6
fixed-version: 0.2.6-r6
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: GHSA-2222-2222-2222
- id: CGA-42mf-6jm5-fv45
aliases:
- GHSA-2222-2222-2222
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2222-2222
- id: CGA-42mf-6jm5-fv45
aliases:
- CVE-2222-2222
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2222-2222
- id: CGA-42mf-6jm5-fv45
aliases:
- CVE-2222-2222
- GHSA-2222-2222-2222
events:
- timestamp: 1970-01-01T00:00:00Z
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ package:
name: ko

advisories:
- id: GHSA-2222-2222-2222
- id: CGA-42mf-6jm5-fv45
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination

- id: GHSA-2222-2222-2222
- id: CGA-42mf-6jm5-fv45
events:
- timestamp: 1970-01-01T00:00:00Z
type: fixed
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ package:
name: ko

advisories:
- id: GHSA-2222-2222-2222
- id: CGA-2222-2222-2222
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination

- id: GHSA-3333-3333-3333
- id: CGA-2222-2222-2222
events:
- timestamp: 1970-01-01T00:00:00Z
type: fixed
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ package:
name: ko

advisories:
- id: GHSA-2222-2222-2222
- id: CGA-2222-2222-2222
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination

- id: GHSA-3333-3333-3333
- id: CGA-3333-3333-3333
events:
- timestamp: 1970-01-01T00:00:00Z
type: fixed
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: ko

advisories:
- id: CVE-2222-2222
- id: CGA-2222-2222-2222
aliases:
- CVE-2222-2222
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ package:
name: mo

advisories:
- id: CVE-3333-3333
- id: CGA-3333-3333-3333
aliases:
- CVE-3333-3333
events:
- timestamp: 1970-01-01T00:00:00Z
type: true-positive-determination
Loading

0 comments on commit 3970377

Please sign in to comment.