Fix OSV to handel affected_packages correctly

Add support to collect commits

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/importers/osv_v2.py

@@ -14,6 +14,7 @@
 from fetchcode.vcs import fetch_via_vcs
 
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importers.osv_v2 import parse_advisory_data_v3
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.utils import get_advisory_url
 
@@ -72,7 +73,7 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
             with open(file) as f:
                 raw_data = json.load(f)
             advisory_text = file.read_text()
-            yield parse_advisory_data_v2(
+            yield parse_advisory_data_v3(
                 raw_data=raw_data,
                 supported_ecosystems=supported_ecosystems,
                 advisory_url=advisory_url,

vulnerabilities/pipelines/v2_importers/github_osv_importer.py

@@ -14,6 +14,7 @@
 from fetchcode.vcs import fetch_via_vcs
 
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importers.osv_v2 import parse_advisory_data_v3
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.utils import get_advisory_url
 
@@ -56,7 +57,7 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
             )
             advisory_text = advisory.read_text()
             advisory_dict = saneyaml.load(advisory_text)
-            yield parse_advisory_data_v2(
+            yield parse_advisory_data_v3(
                 raw_data=advisory_dict,
                 supported_ecosystems=["generic"],
                 advisory_url=advisory_url,

vulnerabilities/pipelines/v2_importers/oss_fuzz.py

@@ -14,6 +14,7 @@
 from fetchcode.vcs import fetch_via_vcs
 
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importers.osv_v2 import parse_advisory_data_v3
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.utils import get_advisory_url
 
@@ -46,8 +47,6 @@ def advisories_count(self):
         return sum(1 for _ in vulns_directory.rglob("*.yaml"))
 
     def collect_advisories(self) -> Iterable[AdvisoryData]:
-        from vulnerabilities.importers.osv import parse_advisory_data_v2
-
         base_directory = Path(self.vcs_response.dest_dir)
         vulns_directory = base_directory / "vulns"
 
@@ -59,7 +58,7 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
             )
             advisory_text = advisory.read_text()
             advisory_dict = saneyaml.load(advisory_text)
-            yield parse_advisory_data_v2(
+            yield parse_advisory_data_v3(
                 raw_data=advisory_dict,
                 supported_ecosystems=["pypi"],
                 advisory_url=advisory_url,

vulnerabilities/pipelines/v2_importers/pypa_importer.py

@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2hjr-vmf3-xwvp",
+  "modified": "2024-07-26T14:18:08Z",
+  "published": "2024-07-26T06:30:47Z",
+  "aliases": [
+    "CVE-2023-49921"
+  ],
+  "summary": "Elasticsearch Insertion of Sensitive Information into Log File",
+  "details": "An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.elasticsearch:elasticsearch"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.17.16"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.elasticsearch:elasticsearch"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.0.0"
+            },
+            {
+              "fixed": "8.11.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49921"
+    },
+    {
+      "type": "WEB",
+      "url": "https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/elastic/elasticsearch"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-07-26T14:18:08Z",
+    "nvd_published_at": "2024-07-26T05:15:10Z"
+  }
+}

vulnerabilities/tests/test_data/osv_test/github/github-1.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2jm2-2p35-rp3j",
+  "modified": "2025-11-19T21:55:33Z",
+  "published": "2025-11-19T21:00:37Z",
+  "aliases": [
+    "CVE-2025-65103"
+  ],
+  "summary": "OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter",
+  "details": "### Summary\nAn authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the `display` parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.\n\n### Details\nThe vulnerability is located in the `retrieve()` method within `src/API/Manager.php`.\n\nUser input from the `display` GET parameter is processed without proper validation. The code strips the surrounding brackets `[]`, splits the string by commas, and then passes each resulting element directly into the `selectRaw()` function of the query builder.\n\n```php\n// User input from 'display' is taken without sanitization.\n$select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null;\n\n// ...\n\n// The unsanitized input is passed directly to `selectRaw()`.\nforeach ($select as $s) {\n    $query->selectRaw($s);\n}\n```\n\nSince `selectRaw()` is designed to execute raw SQL expressions, it executes any malicious SQL code provided in the `display` parameter.\n\n### PoC\n1.  Log in to an OpenSTAManager instance as any user.\n2.  Navigate to the user's profile page to obtain their personal API Token.\n3.  Use this API token to send a specially crafted GET request to the API endpoint.\n\n**Time-Based Blind Injection Test:**\n\nReplace `<your_host>`, `<your_token>`, and `<resource_name>` with your actual values. `anagrafiche` is a valid resource.\n\n```bash\ncurl \"http://<your_host>/openstamanager/api?token=<your_token>&resource=anagrafiche&display=[1,SLEEP(5)]\"\n```\n\nThe server will delay its response by approximately 5 seconds, confirming the `SLEEP(5)` command was executed by the database.\n\n### Impact\nThis is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:\n\n*   **Exfiltrate all data** from the database (e.g., user credentials, customer information, invoices, internal data).\n*   **Modify or delete data**, compromising data integrity.\n*   Potentially achieve further system compromise, depending on the database user's privileges and system configuration.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "devcode-it/openstamanager"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.9.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.9.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65103"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/devcode-it/openstamanager"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-19T21:00:37Z",
+    "nvd_published_at": "2025-11-19T20:15:54Z"
+  }
+}

vulnerabilities/tests/test_data/osv_test/github/github-2.json

@@ -0,0 +1,77 @@
+{
+  "advisory_id": "GHSA-2hjr-vmf3-xwvp",
+  "aliases": [
+    "CVE-2023-49921"
+  ],
+  "summary": "Elasticsearch Insertion of Sensitive Information into Log File\nAn issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical.",
+  "affected_packages": [
+    {
+      "package": {
+        "type": "maven",
+        "namespace": "org.elasticsearch",
+        "name": "elasticsearch",
+        "version": "",
+        "qualifiers": "",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:maven/>=0|<7.17.16",
+      "fixed_version_range": "vers:maven/7.17.16",
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    },
+    {
+      "package": {
+        "type": "maven",
+        "namespace": "org.elasticsearch",
+        "name": "elasticsearch",
+        "version": "",
+        "qualifiers": "",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:maven/>=8.0.0|<8.11.2",
+      "fixed_version_range": "vers:maven/8.11.2",
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    }
+  ],
+  "references_v2": [
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49921"
+    },
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://discuss.elastic.co/t/elasticsearch-8-11-2-7-17-16-security-update-esa-2023-29/349179"
+    },
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://github.com/elastic/elasticsearch"
+    }
+  ],
+  "patches": [],
+  "severities": [
+    {
+      "system": "cvssv3.1",
+      "value": "5.2",
+      "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"
+    },
+    {
+      "system": "cvssv4",
+      "value": "4.1",
+      "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    },
+    {
+      "system": "generic_textual",
+      "value": "MODERATE",
+      "scoring_elements": ""
+    }
+  ],
+  "date_published": "2024-07-26T06:30:47+00:00",
+  "weaknesses": [
+    532
+  ],
+  "url": "https://test.com"
+}

vulnerabilities/tests/test_data/osv_test/github/github-expected-1.json

@@ -0,0 +1,43 @@
+{
+  "advisory_id": "GHSA-2jm2-2p35-rp3j",
+  "aliases": [
+    "CVE-2025-65103"
+  ],
+  "summary": "OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter\n### Summary\nAn authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the `display` parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.\n\n### Details\nThe vulnerability is located in the `retrieve()` method within `src/API/Manager.php`.\n\nUser input from the `display` GET parameter is processed without proper validation. The code strips the surrounding brackets `[]`, splits the string by commas, and then passes each resulting element directly into the `selectRaw()` function of the query builder.\n\n```php\n// User input from 'display' is taken without sanitization.\n$select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null;\n\n// ...\n\n// The unsanitized input is passed directly to `selectRaw()`.\nforeach ($select as $s) {\n    $query->selectRaw($s);\n}\n```\n\nSince `selectRaw()` is designed to execute raw SQL expressions, it executes any malicious SQL code provided in the `display` parameter.\n\n### PoC\n1.  Log in to an OpenSTAManager instance as any user.\n2.  Navigate to the user's profile page to obtain their personal API Token.\n3.  Use this API token to send a specially crafted GET request to the API endpoint.\n\n**Time-Based Blind Injection Test:**\n\nReplace `<your_host>`, `<your_token>`, and `<resource_name>` with your actual values. `anagrafiche` is a valid resource.\n\n```bash\ncurl \"http://<your_host>/openstamanager/api?token=<your_token>&resource=anagrafiche&display=[1,SLEEP(5)]\"\n```\n\nThe server will delay its response by approximately 5 seconds, confirming the `SLEEP(5)` command was executed by the database.\n\n### Impact\nThis is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:\n\n*   **Exfiltrate all data** from the database (e.g., user credentials, customer information, invoices, internal data).\n*   **Modify or delete data**, compromising data integrity.\n*   Potentially achieve further system compromise, depending on the database user's privileges and system configuration.",
+  "affected_packages": [],
+  "references_v2": [
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j"
+    },
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65103"
+    },
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://github.com/devcode-it/openstamanager"
+    }
+  ],
+  "patches": [],
+  "severities": [
+    {
+      "system": "cvssv3.1",
+      "value": "8.8",
+      "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "system": "generic_textual",
+      "value": "HIGH",
+      "scoring_elements": ""
+    }
+  ],
+  "date_published": "2025-11-19T21:00:37+00:00",
+  "weaknesses": [
+    89
+  ],
+  "url": "https://test.com"
+}

vulnerabilities/tests/test_data/osv_test/github/github-expected-2.json

@@ -0,0 +1,45 @@
+affected:
+- ecosystem_specific:
+    severity: LOW
+  package:
+    ecosystem: OSS-Fuzz
+    name: apache-commons-configuration
+    purl: pkg:generic/apache-commons-configuration
+  ranges:
+  - events:
+    - introduced: 4117b2050ab011f131d5a81c824bf89ddde303d4
+    repo: https://gitbox.apache.org/repos/asf/commons-configuration.git
+    type: GIT
+  versions:
+  - commons-configuration-2.10.0-RC1
+  - commons-configuration-2.10.1-RC1
+  - commons-configuration-2.9.0-RC1
+  - rel/commons-configuration-2.10.0
+  - rel/commons-configuration-2.10.1
+  - rel/commons-configuration-2.9.0
+  - commons-configuration-2.11.0-RC1
+  - rel/commons-configuration-2.11.0
+  - commons-configuration-2.11.1-RC1
+  - commons-configuration-2.12.0-RC1
+  - commons-configuration-2.12.0
+  - rel/commons-configuration-2.12.0
+  - commons-configuration-2.13.0-RC1
+  - rel/commons-configuration-2.13.0
+details: |
+  OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66703
+
+  ```
+  Crash type: Security exception
+  Crash state:
+  java.base/java.util.stream.AbstractPipeline.evaluate
+  java.base/java.util.stream.ReferencePipeline.collect
+  org.apache.commons.configuration2.AbstractYAMLBasedConfiguration.parseCollection
+  ```
+id: OSV-2024-269
+modified: '2025-11-29T14:27:29.156170Z'
+published: '2024-04-18T00:04:02.456948Z'
+references:
+- type: REPORT
+  url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66703
+schema_version: 1.6.0
+summary: Security exception in java.base/java.util.stream.AbstractPipeline.evaluate