Fix incorrect OSV-to-PURL mapping for Cargo

vulnerabilities/pipes/osv_v2.py

@@ -17,7 +17,6 @@
 from cvss.exceptions import CVSS3MalformedError
 from cvss.exceptions import CVSS4MalformedError
 from packageurl import PackageURL
-from univers.version_constraint import InvalidConstraintsError
 from univers.version_constraint import VersionConstraint
 from univers.version_constraint import validate_comparators
 from univers.version_range import RANGE_CLASS_BY_SCHEMES
@@ -49,7 +48,7 @@
     "rubygems": "gem",
     "go": "golang",
     "hex": "hex",
-    "cargo": "cargo",
+    "crates.io": "cargo",
 }
 
 

vulnerabilities/tests/pipes/test_osv_v2.py

@@ -184,6 +184,16 @@ def test_to_advisories_github3(self):
         result = imported_data.to_dict()
         util_tests.check_results_against_json(result, expected_file)
 
+    def test_to_advisories_github4(self):
+        with open(os.path.join(TEST_DATA, "github/github-4.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "github/github-expected-4.json")
+        imported_data = parse_advisory_data_v3(
+            mock_response, "cargo", advisory_url="https://test.com", advisory_text=""
+        )
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
     def test_to_advisories_oss_fuzz1(self):
         with open(os.path.join(TEST_DATA, "oss-fuzz/oss-fuzz-1.yaml")) as f:
             mock_response = saneyaml.load(f)

vulnerabilities/tests/test_data/osv_test/github/github-4.json

@@ -0,0 +1,47 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wjxc-pjx9-4wvm",
+  "modified": "2024-02-03T00:18:06Z",
+  "published": "2024-02-03T00:18:06Z",
+  "aliases": [],
+  "summary": "Nervos CKB Panic on malformed input",
+  "details": "### Impact\nCKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages\n\n### References\nhttps://github.com/BurntSushi/rust-snappy/issues/29",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "ckb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.34.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.34.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-wjxc-pjx9-4wvm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-02-03T00:18:06Z",
+    "nvd_published_at": null
+  }
+}

vulnerabilities/tests/test_data/osv_test/github/github-expected-4.json

@@ -0,0 +1,39 @@
+{
+  "advisory_id": "GHSA-wjxc-pjx9-4wvm",
+  "aliases": [],
+  "summary": "Nervos CKB Panic on malformed input\n### Impact\nCKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages\n\n### References\nhttps://github.com/BurntSushi/rust-snappy/issues/29",
+  "affected_packages": [
+    {
+      "package": {
+        "type": "cargo",
+        "namespace": "",
+        "name": "ckb",
+        "version": "",
+        "qualifiers": "",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:cargo/<=0.34.1",
+      "fixed_version_range": "vers:cargo/0.34.2",
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    }
+  ],
+  "references_v2": [
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-wjxc-pjx9-4wvm"
+    }
+  ],
+  "patches": [],
+  "severities": [
+    {
+      "system": "generic_textual",
+      "value": "HIGH",
+      "scoring_elements": ""
+    }
+  ],
+  "date_published": "2024-02-03T00:18:06+00:00",
+  "weaknesses": [],
+  "url": "https://test.com"
+}