Skip to content

Commit

Permalink
service/osv: guard against schema changes (#288)
Browse files Browse the repository at this point in the history
* service/osv: guard against schema changes

Signed-off-by: William Woodruff <[email protected]>

* CHANGELOG: record changes

Signed-off-by: William Woodruff <[email protected]>
  • Loading branch information
woodruffw authored May 25, 2022
1 parent a5c01f7 commit 5e46f17
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 0 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ All versions prior to 0.0.9 are untracked.
connection failures to vulnerability sources was improved
([#287](https://github.com/trailofbits/pip-audit/pull/287))

* Vulnerability sources: the OSV service is now more resilient
to schema changes ([#288](https://github.com/trailofbits/pip-audit/pull/288))

### Fixed

* Vulnerability sources: a bug stemming from an incorrect assumption
Expand Down
9 changes: 9 additions & 0 deletions pip_audit/_service/osv.py
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,15 @@ def query(self, spec: Dependency) -> Tuple[Dependency, List[VulnerabilityResult]
return spec, results

for vuln in response_json["vulns"]:
# Sanity check: only the v1 schema is specified at the moment,
# and the code below probably won't work with future incompatible
# schemas without additional changes.
# The absence of a schema is treated as 1.0.0, per the OSV spec.
schema_version = Version(vuln.get("schema_version", "1.0.0"))
if schema_version.major != 1:
logger.warning(f"Unsupported OSV schema version: {schema_version}")
continue

id = vuln["id"]

# The summary is intended to be shorter, so we prefer it over
Expand Down
29 changes: 29 additions & 0 deletions test/service/test_osv.py
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,35 @@ def test_osv_skipped_dep():
assert len(vulns) == 0


@pytest.mark.parametrize("version", ["0.0.0", "2.0.0", "2.3.4"])
def test_osv_unsupported_schema_version(monkeypatch, version):
logger = pretend.stub(warning=pretend.call_recorder(lambda s: None))
monkeypatch.setattr(service.osv, "logger", logger)

payload = {
"vulns": [
{"schema_version": version},
]
}

response = pretend.stub(raise_for_status=lambda: None, json=lambda: payload)
post = pretend.call_recorder(lambda *a, **kw: response)

osv = service.OsvService()
monkeypatch.setattr(osv.session, "post", post)

dep = service.ResolvedDependency("foo", Version("1.0.0"))
results = dict(osv.query_all(iter([dep])))

assert logger.warning.calls == [pretend.call(f"Unsupported OSV schema version: {version}")]

assert len(results) == 1
assert dep in results

vulns = results[dep]
assert len(vulns) == 0


@pytest.mark.parametrize(
["summary", "details", "description"],
[
Expand Down

0 comments on commit 5e46f17

Please sign in to comment.