Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solution hashes for a vulnerability lies in an external fork #2415

Open
yashrsharma44 opened this issue Jul 24, 2024 · 3 comments
Open

Solution hashes for a vulnerability lies in an external fork #2415

yashrsharma44 opened this issue Jul 24, 2024 · 3 comments
Labels
data quality Issues with data quality

Comments

@yashrsharma44
Copy link

Describe the bug

Hi Team,

I am playing with the OSV API for checking vulnerabilities in the kernel repositories, and on trying the cli, I got the following results -

(.venv) ➜  git_kernel_vulns git:(master) ✗ curl -d \                                      
  '{"commit": "30e3b4f256b4e366a61658c294f6a21b8626dda7",
    "package": {"name": "github.com/torvalds/linux"}}' \
  "https://api.osv.dev/v1/query" | jq  '.vulns | .[] | .id'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5643k  100 5643k  100   108   342k      6  0:00:18  0:00:16  0:00:02 1346k
"CVE-2021-33909"
"CVE-2021-3609"
"CVE-2021-3656"
"CVE-2021-37159"
"CVE-2021-3744"
...

Picking one the vulnerabilities from the output - GSD-2022-1000409, I wanted to check the commit hash which fixes the issue - https://osv.dev/vulnerability/GSD-2022-1000409
The solution fix (0838d6d68182f0b28a5434bc6d50727c4757e35b ) - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ doesn't lie in the given repository, and on checking the link, I see that it lies in an external fork - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0838d6d68182f0b28a5434bc6d50727c4757e35b

The commit message itself suggests that the fix is an upstream commit -

Notice: this object is not reachable from any branch.
commit 926fd9f23b27ca6587492c3f58f4c7f4cd01dad5 upstream.

To Reproduce
Provided above
Expected behaviour
The solution fix should lie in the upstream branch(or atleast should be present in the fork)

Screenshots

Additional context
@andrewpollock
Copy link
Contributor

This is one of the points raised in https://github.com/google/osv.dev/blob/master/docs/data_quality.md#precise

I'm not aware of a way to programmatically make the linkage from (in this example) 0838d6d68182f0b28a5434bc6d50727c4757e35b to 926fd9f23b27ca6587492c3f58f4c7f4cd01dad5 and so this is currently a data quality issue on the originating record.

@andrewpollock andrewpollock added the data quality Issues with data quality label Jul 26, 2024
@github-actions GitHub Actions
Copy link

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

@yashrsharma44
Copy link
Author

yashrsharma44 commented Jul 26, 2024
edited
Loading

I'm not aware of a way to programmatically make the linkage from (in this example) 0838d6d68182f0b28a5434bc6d50727c4757e35b to 926fd9f23b27ca6587492c3f58f4c7f4cd01dad5 and so this is currently a data quality issue on the originating record.

Ohh great, I am glad that is a known issue.

While a rough idea in my mind, would be to map access the git message(maybe by downloading the message) and perform the mapping? But agree, without fetching the commit, it's difficult to get the mapping programmatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
data quality Issues with data quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewpollock @yashrsharma44