feat(API): update version matching for NuGet, PyPI and RubyGems #2971
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hogo6002
changed the title
|
Can you update the title to be more about switching the 3 ecosystems to the new matching method? While this change is motivated by improving Malicious package matching, the actual change will primarily affects normal matching as well (if I understand correctly), would be good to clarify that. |
hogo6002
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Malicious package publishes OSV records for crates.io, npm, NuGet, PyPI, and RubyGems. Queries for NuGet, PyPI, and RubyGems (npm and crates.io use semantic versioning, so the matching process is different) only match vulnerabilities against specific
affected versions. However, malicious package records may only provideaffected rangesinstead of individual versions in some cases (e.g. https://api.osv.dev/v1/vulns/MAL-2022-7426). OSV also can't enumerate affected versions for a malicious package as those versions have been deleted. This causes issues like #2407Switching the API query version matching from
_query_by_generic_version()to_query_by_comparing_versions()can address this issue. The_query_by_comparing_versions()function matches both affected versions and affected ranges, but might slow down the performance for a bit.Adding this PR after the end-of-year release to give more time to verify performance on the test instance before rolling out to prod.