ossf · andrewpollock · Oct 15, 2024 · Oct 15, 2024 · Oct 15, 2024
diff --git a/tools/redhat/README.md b/tools/redhat/README.md
@@ -19,7 +19,7 @@ $ pipenv install -e .
 
 Needs to be run in a folder where the Red Hat CSAF documents to convert already exist. Files can be downloaded the [Red Hat Customer Portal Security Data section](https://access.redhat.com/security/data/csaf/v2/advisories/)
 ~~~
-$ pipenv run convert_redhat testdata/rhsa-2024_4546.json
+$ pipenv run python3 convert_redhat.py testdata/rhsa-2024_4546.json
 ~~~
 
 OSV documents will be output in the `osv` directory by default. Override the default with the `--output_directory` option.

diff --git a/tools/redhat/redhat_osv/osv.py b/tools/redhat/redhat_osv/osv.py
@@ -85,7 +85,8 @@ class Package:
     Class to hold package data for an Affect.
     Expects an ecosystem string that starts with CPE_PATTERN.
     Replaces the CPE prefix 'redhat' part with 'Red Hat'
-    to match more closely with other ecosystem identifiers in the OSV database
+    to match more closely with other ecosystem identifiers in the OSV database.
+    Also removes version and qualifiers from the CSAF remediation PURL
     """
 
     cpe_pattern: re.Pattern = field(init=False,
@@ -98,6 +99,10 @@ def __post_init__(self):
         if not self.cpe_pattern.match(self.ecosystem):
             raise ValueError(f"Got unsupported ecosystem: {self.ecosystem}")
         self.ecosystem = f"Red Hat{self.cpe_pattern.split(self.ecosystem, maxsplit=1)[-1]}"
+        if "@" in self.purl:
+            version_index = self.purl.index("@")
+            self.purl = self.purl[:version_index]
+
 
 
 @dataclass

diff --git a/tools/redhat/redhat_osv/osv_test.py b/tools/redhat/redhat_osv/osv_test.py
@@ -23,9 +23,14 @@ def test_missing_cvss_v3(self):
                 assert csaf
                 assert len(csaf.vulnerabilities) == 1
                 assert not csaf.vulnerabilities[0].cvss_v3_base_score
+                for vuln in csaf.vulnerabilities:
+                    for remediation in vuln.remediations:
+                        assert "@" in remediation.purl
 
                 osv = OSV(csaf, "test_date")
                 assert not hasattr(osv, "severity")
+                for affected in osv.affected:
+                    assert "@" not in affected.package.purl
 
 
 class EventTest(unittest.TestCase):

diff --git a/tools/redhat/testdata/RHSA-2024_4546.json b/tools/redhat/testdata/RHSA-2024_4546.json
@@ -1,5 +1,5 @@
 {
-  "schema_version": "1.6.5",
+  "schema_version": "1.6.7",
   "id": "RHSA-2024:4546",
   "related": [
     "CVE-2023-45288",
@@ -19,7 +19,7 @@
       "package": {
         "name": "git-lfs",
         "ecosystem": "Red Hat:rhel_aus:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src"
+        "purl": "pkg:rpm/redhat/git-lfs"
       },
       "ranges": [
         {
@@ -39,7 +39,7 @@
       "package": {
         "name": "git-lfs",
         "ecosystem": "Red Hat:rhel_aus:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs"
       },
       "ranges": [
         {
@@ -59,7 +59,7 @@
       "package": {
         "name": "git-lfs-debuginfo",
         "ecosystem": "Red Hat:rhel_aus:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs-debuginfo"
       },
       "ranges": [
         {
@@ -79,7 +79,7 @@
       "package": {
         "name": "git-lfs-debugsource",
         "ecosystem": "Red Hat:rhel_aus:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs-debugsource"
       },
       "ranges": [
         {
@@ -99,7 +99,7 @@
       "package": {
         "name": "git-lfs",
         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=ppc64le"
+        "purl": "pkg:rpm/redhat/git-lfs"
       },
       "ranges": [
         {
@@ -119,7 +119,7 @@
       "package": {
         "name": "git-lfs",
         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src"
+        "purl": "pkg:rpm/redhat/git-lfs"
       },
       "ranges": [
         {
@@ -139,7 +139,7 @@
       "package": {
         "name": "git-lfs",
         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs"
       },
       "ranges": [
         {
@@ -159,7 +159,7 @@
       "package": {
         "name": "git-lfs-debuginfo",
         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=ppc64le"
+        "purl": "pkg:rpm/redhat/git-lfs-debuginfo"
       },
       "ranges": [
         {
@@ -179,7 +179,7 @@
       "package": {
         "name": "git-lfs-debuginfo",
         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs-debuginfo"
       },
       "ranges": [
         {
@@ -199,7 +199,7 @@
       "package": {
         "name": "git-lfs-debugsource",
         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=ppc64le"
+        "purl": "pkg:rpm/redhat/git-lfs-debugsource"
       },
       "ranges": [
         {
@@ -219,7 +219,7 @@
       "package": {
         "name": "git-lfs-debugsource",
         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs-debugsource"
       },
       "ranges": [
         {
@@ -239,7 +239,7 @@
       "package": {
         "name": "git-lfs",
         "ecosystem": "Red Hat:rhel_tus:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src"
+        "purl": "pkg:rpm/redhat/git-lfs"
       },
       "ranges": [
         {
@@ -259,7 +259,7 @@
       "package": {
         "name": "git-lfs",
         "ecosystem": "Red Hat:rhel_tus:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs"
       },
       "ranges": [
         {
@@ -279,7 +279,7 @@
       "package": {
         "name": "git-lfs-debuginfo",
         "ecosystem": "Red Hat:rhel_tus:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs-debuginfo"
       },
       "ranges": [
         {
@@ -299,7 +299,7 @@
       "package": {
         "name": "git-lfs-debugsource",
         "ecosystem": "Red Hat:rhel_tus:8.6::appstream",
-        "purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64"
+        "purl": "pkg:rpm/redhat/git-lfs-debugsource"
       },
       "ranges": [
         {