Skip to content

feat: rework combine-to-osv to begin to combine NVD and CVE5 OSV records #4086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 93 commits into from
Oct 7, 2025
Merged

feat: rework combine-to-osv to begin to combine NVD and CVE5 OSV records #4086

merged 93 commits into from
Oct 7, 2025

Conversation

@jess-lowe
Copy link
Contributor

@jess-lowe jess-lowe commented Oct 1, 2025

NVD Output Changes:

  • Updates the NVD conversion to start outputting OSV records instead of PackageInfo
  • Changes the output location of NVD to no longer be in the 'parts' directory

combine-to-osv changes:

  • reads in two file paths for NVD OSV data and CVE5 OSV data
  • lists CVEIDs of Alpine and debian vulns and generates the 'upstream' records for them too so they still have an upstream,
  • somewhat intelligently tries to combine data between the records, with a bias toward the CVE5 conversion.
  • outputs the files.

jess-lowe added 30 commits August 28, 2025 04:47
@jess-lowe
Fix missing delete
1a466f1
@jess-lowe
Remove Linux special treatment
f5b40e4
@jess-lowe
Improve inverse version extraction
bad798b
@jess-lowe
Fix double commit hash sections
b62ceb3
@jess-lowe
Merge remote-tracking branch 'upstream/master' into feat/cve-conv-cro…
86ace30 
…n-prep
@jess-lowe
Remove database_specific map from initial vuln instance
b4f5b57
@jess-lowe
fix version_extraction test
c352ac1
@jess-lowe
rename and repackage cvelist converstion
f17b8c5
@jess-lowe
repackage
0638dff
@jess-lowe
cvelist mass converter script
f7b0de3
@jess-lowe
Remove outcomes logic for now (not very concurrency-friendly)
0fc040d
@jess-lowe
Converter script
227ba92
@jess-lowe
rename files back
e2f5b64
@jess-lowe
dockerfile and cron job
c56e9d5
@jess-lowe
Merge remote-tracking branch 'upstream/master' into feat/cve-conv-cro…
7df4e7c 
…n-prep
@jess-lowe
flatten if statements
cf40025
@jess-lowe
Revert "dockerfile and cron job"
394d039 
This reverts commit c56e9d5.
@jess-lowe
Merge remote-tracking branch 'upstream/master' into feat/cve-conv-cro…
34e3505 
…n-prep
@jess-lowe
update logger
013c5c8
@jess-lowe
fix lint through refactoring everything :(
34878fb
@jess-lowe
Added flags and removed double parsing
af05357
@jess-lowe
rename sortBadSemver
9b2ce86
@jess-lowe
refactored parts for clarity
68f8d55
@jess-lowe
deal with if number of parts are not 2 or 3
28e0691
@jess-lowe
rename sortBadSemver in tests
e69b7fb
@jess-lowe
Refactor VersionToCommit to ONLY return a commit, not the AffectedCom…
0114a27 
…mit stuff.
@jess-lowe
update test snapshots
5fa7c47
@jess-lowe
FIX LINT
fbdd60f
@jess-lowe
MUCH PRETTIER CODE
56c6db5
@jess-lowe
Merge remote-tracking branch 'upstream/master' into feat/cve-git-reso…
40b1d9f 
…lve-1
@jess-lowe jess-lowe requested review from another-rex and michaelkedar and removed request for another-rex October 1, 2025 06:23
another-rex
another-rex requested changes Oct 2, 2025
View reviewed changes
vulnfeeds/cmd/combine-to-osv/main.go
if nvdRanges, ok := nvdRepoMap[repo]; ok {
var newAffectedRanges []osvschema.Range

// Found a match. If NVD has more ranges, use its ranges.
Copy link
Contributor

@another-rex another-rex Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same concern here as above, is this the correct assumption? What if cve5 has different ranges?

Copy link
Contributor Author

@jess-lowe jess-lowe Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to look at improving and handling this in a future PR. For now, I just want to have some level of merging intelligence, so we can start populating the records, and will work on improving it later.

@jess-lowe jess-lowe requested a review from another-rex October 2, 2025 05:57
another-rex
another-rex reviewed Oct 3, 2025
View reviewed changes
Copy link
Contributor

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@jess-lowe jess-lowe requested a review from another-rex October 3, 2025 01:25
another-rex
another-rex approved these changes Oct 3, 2025
View reviewed changes
Copy link
Contributor

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jess-lowe jess-lowe merged commit 5afab6f into google:master Oct 7, 2025
16 checks passed
@jess-lowe jess-lowe deleted the feat/combine-2-osv branch October 13, 2025 04:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

@michaelkedar michaelkedar Awaiting requested review from michaelkedar

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jess-lowe @another-rex