fix(sc4): pass version to OSV for all requirement operators, not just == and <=#123
Open
tcconnally wants to merge 1 commit into
Open
fix(sc4): pass version to OSV for all requirement operators, not just == and <=#123tcconnally wants to merge 1 commit into
tcconnally wants to merge 1 commit into
Conversation
… == and <= When requirements.txt uses >=, >, ~=, or != operators, the version was set to None before querying OSV.dev, causing all historical CVEs to be reported. This happened because _extract_packages_from_requirements() only forwarded the version for == and <= operators. Fix: pass the bound version for all operators. OSV.dev uses the version to filter CVEs, so passing e.g. "1.26.0" for "numpy>=1.26.0" returns only CVEs affecting that version, not all historical advisories. Fixes NVIDIA#43 Signed-off-by: Perseus Computing <51974392+tcconnally@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #43: SC4 reports all historical CVEs when
requirements.txtuses>=,>,~=, or!=operators.Root Cause
_extract_packages_from_requirements()only forwarded the version toquery_batch()for==and<=operators. For all other operators (>=,>,~=,!=),version=Nonewas passed to the OSV.dev API, which returns all historical CVEs for that package.Fix
Pass the bound version for all requirement operators. OSV.dev uses the version to filter CVEs — passing "1.26.0" for "numpy>=1.26.0" returns only CVEs affecting that version, not all 20+ historical advisories.
Example
numpy>=1.26.0Pillow>=10.4.0httpx==0.27.0Testing
All 622 tests pass. Backward compatible —
==and<=behavior unchanged.