Skip to content

Add support for affected_by_commits, fixed_by_commits, and OSV code fix commits #2017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add support for affected_by_commits, fixed_by_commits, and OSV code fix commits #2017

wants to merge 5 commits into from

Conversation

@ziadhany
Copy link
Collaborator

@ziadhany ziadhany commented Nov 3, 2025
edited
Loading

  • Introduce affected_by_commits and fixed_by_commits fields in our advisory
  • Update from_dict and to_dict methods
  • Update compute_checksum method
  • Create a CodeCommitData importer class
  • Update OSV to collect code fix commits

@ziadhany
Update affected_by_commits and fixed_by_commits to be separate fields…
a8ec9f1 
… in Advisory

Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany ziadhany force-pushed the advisory-fix-commit-1 branch from 2af10cf to a8ec9f1 Compare November 4, 2025 15:58
@ziadhany ziadhany marked this pull request as ready for review November 4, 2025 16:01
@ziadhany
Update compute_checksum method
be7dd91 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany ziadhany changed the title Add support for affected_by_commits and fixed_by_commits Add support for affected_by_commits, fixed_by_commits, and OSV code fix commits Nov 5, 2025
@ziadhany
Add support for OSV code fix commit collection
c1d1f21 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany ziadhany requested review from TG1999 and keshav-space and removed request for keshav-space November 5, 2025 15:40
@TG1999
Copy link
Contributor

TG1999 commented Nov 6, 2025

@ziadhany add description in the PR please!

TG1999
TG1999 reviewed Nov 6, 2025
View reviewed changes
TG1999
TG1999 reviewed Nov 6, 2025
View reviewed changes
vulnerabilities/importers/osv.py Outdated
except InvalidVersion:
logger.error(f"Invalid SemverVersion: {version!r} for OSV id: {raw_id!r}")

if fixed_range_type == "GIT":
Copy link
Contributor

@TG1999 TG1999 Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this? And what's the get_code_commit function ?

Copy link
Collaborator Author

@ziadhany ziadhany Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the OSV schema, a commit be treated as the package version.
https://ossf.github.io/osv-schema/#python-vulnerability

"ranges": [ {
    "type": "GIT",
    "repo": "https://github.com/owner/repo",
    "events": [
      { "introduced": "X" },
      { "fixed": "Y" },
    ]
} ]

When importing this data into the new model, we currently log it as Unsupported fixed version type.
Instead, we should skip these entries silently to avoid unnecessary log noise, since they are already handled in the get_code_commit function.

Copy link
Contributor

@TG1999 TG1999 Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why to skip and not create code commits out of these ?

Copy link
Collaborator Author

@ziadhany ziadhany Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the get_fixed_versions function returns only versions, I thought the name might be misleading.

No problem I’ll update it and rename get_fixed_versions to get_fixed_versions_and_commits

TG1999
TG1999 reviewed Nov 6, 2025
View reviewed changes
@ziadhany
Remove get_code_commit function
b505021 
Add all the fields in keys for comparison CodeCommitData

Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany ziadhany requested a review from TG1999 November 7, 2025 02:48
@TG1999
Copy link
Contributor

TG1999 commented Nov 7, 2025

@ziadhany mostly looks good! Please run the importer once and paste the logs here. Thanks!

I want to see if we are missing on any data in OSV format. And how does the AdvisoryData and ImpactedPackages looks with the new CommitData. Thanks!

TG1999
TG1999 reviewed Nov 7, 2025
View reviewed changes
@ziadhany
Add reference for Git magic hash for the empty tree
b882fa4 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Copy link
Collaborator Author

ziadhany commented Nov 7, 2025
edited
Loading

@TG1999 This is the log output for the following importers:

  • pysec_importer_v2
  • pypa_importer_v2
  • oss_fuzz_importer_v2

importers_logs.zip

the database query result :
vulnerabilities_advisory Total rows: 3262
vulnerabilities_impactedpackage_fixed_by_commits Total rows: 4013
vulnerabilities_impactedpackage_affecting_commits Total rows: 3623
vulnerabilities_codecommit Total rows: 3791

@ziadhany ziadhany requested a review from TG1999 November 7, 2025 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keshav-space keshav-space Awaiting requested review from keshav-space

@TG1999 TG1999 Awaiting requested review from TG1999

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ziadhany @TG1999