Skip to content

Fix OSV report generation fallback value for 'introduced' version from "0.0.0" to "0" #532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 4, 2025
Merged

Fix OSV report generation fallback value for 'introduced' version from "0.0.0" to "0" #532

merged 2 commits into from
Jul 4, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Jul 4, 2025
edited
Loading

Summary

Fixes issue #528 by updating the OSV report generation logic to use "0" instead of "0.0.0" as the fallback value for the 'introduced' version when empty, ensuring compliance with the OSV schema.

Problem

The current implementation in pkg/malysis/ossf.go sets the fallback value for the OSV vulnerability 'introduced' version to "0.0.0" when no explicit version is provided. According to the OSV (Open Source Vulnerability) schema specification, the correct fallback value should be "0", which represents "the vulnerability is present from the beginning of the version history".

Changes

Code Changes

  • pkg/malysis/ossf.go: Changed fallback value from "0.0.0" to "0" on line 70
  • Updated the accompanying comment to reference OSV schema compliance

Test Changes

  • pkg/malysis/ossf_test.go: Added new test case default_introduced_version_should_be_'0'_not_'0.0.0'
  • Test validates that when VersionIntroduced is empty, the generated OSV report uses "0" as the introduced version
  • Verifies the complete OSV JSON structure and specifically checks the vuln.Affected[0].Ranges[0].Events[0].Introduced field

Before/After

Before:

if versionIntroduced == "" {
    // Fallback to the special version "0.0.0" which means all versions
    // of the package is likely malicious
    versionIntroduced = "0.0.0"
}

After:

if versionIntroduced == "" {
    // Fallback to the special version "0" which means all versions
    // of the package is likely malicious, as per OSV schema
    versionIntroduced = "0"
}

Verification

  • ✅ All existing tests continue to pass
  • ✅ New test passes, confirming the fix works correctly
  • ✅ Manual verification shows generated OSV reports now use "0" as the fallback
  • ✅ Explicit version parameters are still preserved correctly (backward compatibility maintained)

Impact

This is a minimal, surgical change that:

  • Ensures OSV schema compliance
  • Maintains full backward compatibility for explicit version specifications
  • Does not affect any other functionality
  • Improves interoperability with OSV-compliant vulnerability databases

The change only affects the default fallback behavior when no VersionIntroduced is explicitly provided in the OpenSSFMaliciousPackageReportParams.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.npmjs.org
    • Triggering command: /tmp/go-build2646479142/b1328/readers.test -test.testlogfile=/tmp/go-build2646479142/b1328/testlog.txt -test.paniconexit0 -test.v=true -test.timeout=5m0s (dns block)
  • https://api.github.com/repos/safedep/vet/contents/README.md
    • Triggering command: /tmp/go-build2646479142/b1328/readers.test -test.testlogfile=/tmp/go-build2646479142/b1328/testlog.txt -test.paniconexit0 -test.v=true -test.timeout=5m0s (http block)
  • https://api.github.com/repos/safedep/vet/contents/docs
    • Triggering command: /tmp/go-build2646479142/b1328/readers.test -test.testlogfile=/tmp/go-build2646479142/b1328/testlog.txt -test.paniconexit0 -test.v=true -test.timeout=5m0s (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot @abhisek
Fix OSV introduced version fallback from 0.0.0 to 0 per OSV schema
733ff54 
Co-authored-by: abhisek <31844+abhisek@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] fix: set OSV introduced version fallback to '0' per schema (#528) Fix OSV report generation fallback value for 'introduced' version from "0.0.0" to "0" Jul 4, 2025
@Copilot Copilot AI requested a review from abhisek July 4, 2025 03:00
Copilot finished work on behalf of abhisek July 4, 2025 03:00
@abhisek abhisek marked this pull request as ready for review July 4, 2025 03:06
@abhisek
Copy link
Member

abhisek commented Jul 4, 2025

@KunalSin9h Can you have a look please?

@abhisek abhisek requested a review from KunalSin9h July 4, 2025 03:06
@codecov Codecov
Copy link

codecov bot commented Jul 4, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 17.88%. Comparing base (3fa7307) to head (733ff54).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #532   +/-   ##
=======================================
  Coverage   17.88%   17.88%           
=======================================
  Files         176      176           
  Lines       16988    16988           
=======================================
  Hits         3039     3039           
  Misses      13716    13716           
  Partials      233      233

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@abhisek abhisek merged commit 548ede7 into main Jul 4, 2025
19 checks passed
@abhisek abhisek deleted the copilot/fix-d281eff8-bf2c-4c4e-981e-eeb8ab0e2bb1 branch July 4, 2025 06:17
@abhisek abhisek mentioned this pull request Jul 4, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KunalSin9h KunalSin9h KunalSin9h approved these changes

@abhisek abhisek Awaiting requested review from abhisek

Assignees

@abhisek abhisek

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Copilot @abhisek @KunalSin9h