Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for several invalid versions #701

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions osv/malicious/pypi/aiotrans/MAL-2024-9938.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"modified": "2024-10-16T14:36:17Z",
"modified": "2024-12-09T06:49:42Z",
"published": "2024-10-16T14:36:17Z",
"schema_version": "1.5.0",
"id": "MAL-2024-9938",
Expand All @@ -15,7 +15,7 @@
"versions": [
"1.0.0rc1",
"1.0.0rc2",
"1",
"1.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have to bring this up again, just to make sure we're in sync with @calebbrown, and handling this correctly.

So our procedure usually is that when non-additive changes happen to an advisory, we withdraw the advisory and generate a new one, with a new ID. This generates 'extra' advisories and withdrawals, and since the OSSF doesn't handle withdrawals automatically we decided to fix up existing ones manually for these smaller scale issues. This was already done in #673

This is why there are two entries in malicious-packages-origins for RLMA-2024-03512
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/admcheck/MAL-2024-4732.json#L48

@calebbrown commented that this is okay, since the 'history' is preserved #673 (comment)

But that worked because the whole bucket was reprocessed from the start last time, which I don't believe will be the case anymore?
If we plan to manually edit existing advisories now, we probably need to generate a new entry in malicious-packages-origins as well?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If an additional version is added, it might be better to publish a new updated version of the report with the correct version(s), with a higher number (or an RLUP- report).

This would be merged and add the version the report.

Removing the "1" currently must be done manually.

If you'd prefer I can update all the versions in this PR.

"1.1",
"1.2"
]
Expand Down
4 changes: 2 additions & 2 deletions osv/malicious/pypi/httpxv2/MAL-2024-5246.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"modified": "2024-06-25T13:36:17Z",
"modified": "2024-12-09T06:50:23Z",
"published": "2024-06-25T13:36:17Z",
"schema_version": "1.5.0",
"id": "MAL-2024-5246",
Expand All @@ -13,7 +13,7 @@
"purl": "pkg:pypi/httpxv2"
},
"versions": [
"1"
"1.0"
]
}
],
Expand Down
4 changes: 2 additions & 2 deletions osv/malicious/pypi/httpxv3/MAL-2024-5247.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"modified": "2024-06-25T13:36:17Z",
"modified": "2024-12-09T06:50:24Z",
"published": "2024-06-25T13:36:17Z",
"schema_version": "1.5.0",
"id": "MAL-2024-5247",
Expand All @@ -13,7 +13,7 @@
"purl": "pkg:pypi/httpxv3"
},
"versions": [
"1"
"1.0"
]
}
],
Expand Down
4 changes: 2 additions & 2 deletions osv/malicious/pypi/packagename69/MAL-2024-5447.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"modified": "2024-06-25T13:37:54Z",
"modified": "2024-12-09T06:50:44Z",
"published": "2024-06-25T13:37:54Z",
"schema_version": "1.5.0",
"id": "MAL-2024-5447",
Expand All @@ -13,7 +13,7 @@
"purl": "pkg:pypi/packagename69"
},
"versions": [
"1"
"1.0"
]
}
],
Expand Down
4 changes: 2 additions & 2 deletions osv/malicious/pypi/shadow-scraper/MAL-2024-5999.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"modified": "2024-06-25T13:42:30Z",
"modified": "2024-12-09T06:51:09Z",
"published": "2024-06-25T13:42:30Z",
"schema_version": "1.5.0",
"id": "MAL-2024-5999",
Expand All @@ -13,7 +13,7 @@
"purl": "pkg:pypi/shadow-scraper"
},
"versions": [
"1"
"1.0"
]
}
],
Expand Down
Loading