fix: skip advisory affected entries with unrecognized ecosystems#2882
Open
Lougarou wants to merge 2 commits into
Open
fix: skip advisory affected entries with unrecognized ecosystems#2882Lougarou wants to merge 2 commits into
Lougarou wants to merge 2 commits into
Conversation
IsAffected and AffectsEcosystem called osvecosystem.MustParse on every affected[] entry's ecosystem, which panics on any string the vendored osv-schema registry doesn't recognize. Because the per-ecosystem local-db zips store the full advisory record, a single multi-ecosystem advisory that lists an ecosystem newer than the build's pinned schema crashes the entire offline scan. Parse the ecosystem with the non-panicking osvecosystem.Parse and skip the affected[] entry on error, mirroring the "skip, don't panic on unsupported ecosystems" handling already used for version parsing in rangeContainsVersion (google#2837). Recognized entries are matched exactly as before. Fixes google#2867.
another-rex
approved these changes
Jun 12, 2026
Mirror the nil-package guard IsAffected already has so AffectsEcosystem skips affected[] entries without a package and does so silently, rather than relying on the nil-safe getter. Addresses review feedback on google#2867.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
vulns.IsAffectedandvulns.AffectsEcosystempanic when an OSV advisory'saffected[].package.ecosystemis a value thatosvecosystem.MustParsedoes not recognize. Both run on the match path for every advisory, and the per-ecosystem local-db zips store the full advisory record (everyaffected[]entry, not just the matching one), so a single multi-ecosystem advisory that lists an ecosystem newer than the build's pinnedosv-schemaaborts the entire offline scan.Fixes #2867.
Details
osvecosystem.MustParseatinternal/utility/vulns/vulnerability.go:113(AffectsEcosystem) and:160(IsAffected) panics withFailed MustParse: base ecosystem does not exist in osvschema: "…"on any unrecognized ecosystem string.This is reachable without an attacker: osv.dev's ecosystem set grows over time while each osv-scanner release pins a vendored
osv-schema, so once a new ecosystem appears in a multi-ecosystem advisory, older builds still pinned in CI panic on it. It is also deterministically triggerable today with a local advisory database.This is the ecosystem-name analog of #2837, which fixed the version-parser panic in
rangeContainsVersion; the ecosystem-nameMustParsesites were not touched there.The fix adds a small
parseAffectedEcosystemhelper that uses the non-panickingosvecosystem.Parseand skips theaffected[]entry on error (logging at debug level), mirroring the existing "skip, don't panic on unsupported ecosystems" handling already used for version parsing. Recognized entries are matched exactly as before; the default path is unaffected.Testing
TestOSV_IsAffected_UnrecognizedEcosystemDoesNotPanic: a multi-ecosystem advisory whose first entry uses an unrecognized ecosystem and whose second is a recognized npm range — asserts no panic, that the unrecognized entry is skipped, and that the recognized sibling still matches. The test fails (panics) without the fix.TestOSV_AffectsEcosystemwith an unrecognized + recognized ecosystem case.go test ./internal/utility/vulns/passes.v2.11.4): 0 issues.Checklist
./scripts/run_lints.sh../scripts/run_tests.sh.