Extract remediation information from advisories

[ctron]

For both OSV and CSAF we should extract remediation information, allowing to return that information in the "vulnerability analyze" call.

The idea is to let the user know: it's affected in this version, but fixed in this other version. Both OSV and CSAF support this, but we need to find a common way of representing this.

I think we should start with an ADR. This also involves the UI.

[dejanb]

I looked a bit at this and it seems to me that we already ingesting a lot of these data during ingestion. For examples, for both OSV and CSAF file we ingest versions that fix vulnerabilities. What's missing is the actual remediation information from CSAF, that inform about workaround or mitigation information. While we should definitely start ingesting those, I would start by seeing what we need for analyze purls API first that we can get from the current data (as that would remove dependency to v1). The we can continue looking into UI/API changes and ingesting additional data.

@ruromero Do you have a good example of an OSV API call that you used to test current logic, so we can investigate if we can match that with the current data?

[ruromero]

@dejanb If I am not wrong, data is indeed already being ingested as it is used to decide whether a package is affected or not.

Here's an example that follows the OSV schema. I have removed the aliases, related and references for brevity.

{
    "id": "GHSA-c5q2-7r4c-mv6g",
    "summary": "Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)",
    "details": "### Impact\nAn attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting.\n\n### Patches\nThe problem is fixed in the following packages and versions:\n- github.com/go-jose/go-jose/v4 version 4.0.1\n- github.com/go-jose/go-jose/v3 version 3.0.3\n- gopkg.in/go-jose/go-jose.v2 version 2.6.3\n\nThe problem will not be fixed in the following package because the package is archived:\n- gopkg.in/square/go-jose.v2",
    "aliases": [
    ],
    "modified": "2025-02-13T19:07:25Z",
    "published": "2024-03-07T22:54:44Z",
    "related": [
    ],
    "database_specific": {
        "github_reviewed": true,
        "github_reviewed_at": "2024-03-07T22:54:44Z",
        "nvd_published_at": "2024-03-09T01:15:07Z",
        "cwe_ids": [
            "CWE-409"
        ],
        "severity": "MODERATE"
    },
    "references": [
    ],
    "affected": [
        {
            "package": {
                "name": "github.com/go-jose/go-jose/v4",
                "ecosystem": "Go",
                "purl": "pkg:golang/github.com/go-jose/go-jose/v4"
            },
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        },
                        {
                            "fixed": "4.0.1"
                        }
                    ]
                }
            ],
            "database_specific": {
                "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-c5q2-7r4c-mv6g/GHSA-c5q2-7r4c-mv6g.json"
            }
        },
        {
            "package": {
                "name": "github.com/go-jose/go-jose/v3",
                "ecosystem": "Go",
                "purl": "pkg:golang/github.com/go-jose/go-jose/v3"
            },
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        },
                        {
                            "fixed": "3.0.3"
                        }
                    ]
                }
            ],
            "database_specific": {
                "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-c5q2-7r4c-mv6g/GHSA-c5q2-7r4c-mv6g.json"
            }
        },
        {
            "package": {
                "name": "gopkg.in/go-jose/go-jose.v2",
                "ecosystem": "Go",
                "purl": "pkg:golang/gopkg.in/go-jose/go-jose.v2"
            },
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        },
                        {
                            "fixed": "2.6.3"
                        }
                    ]
                }
            ],
            "database_specific": {
                "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-c5q2-7r4c-mv6g/GHSA-c5q2-7r4c-mv6g.json"
            }
        },
        {
            "package": {
                "name": "gopkg.in/square/go-jose.v2",
                "ecosystem": "Go",
                "purl": "pkg:golang/gopkg.in/square/go-jose.v2"
            },
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        },
                        {
                            "last_affected": "2.6.0"
                        }
                    ]
                }
            ],
            "database_specific": {
                "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-c5q2-7r4c-mv6g/GHSA-c5q2-7r4c-mv6g.json"
            }
        }
    ],
    "schema_version": "1.7.0",
    "severity": [
        {
            "type": "CVSS_V3",
            "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
        }
    ]
}