Add source information to metadata

Author: jess-lowe

vulnfeeds/conversion/common.go

@@ -464,70 +464,97 @@ func deduplicateList(list []any) []any {
 	return unique
 }
 
-func ToRangeWithMetadata(r []*osvschema.Range) []models.RangeWithMetadata {
-	var nr []models.RangeWithMetadata
+func ToRangeWithMetadata(r []*osvschema.Range, s models.VersionSource) []models.RangeWithMetadata {
+	nr := make([]models.RangeWithMetadata, 0, len(r))
 	for _, rng := range r {
 		nr = append(nr, models.RangeWithMetadata{
 			Range: rng,
+			Metadata: models.Metadata{
+				Source: s,
+			},
 		})
 	}
 
 	return nr
 }
 
 func CreateUnresolvedRanges(unresolvedRanges []models.RangeWithMetadata) *structpb.ListValue {
-	if len(unresolvedRanges) > 0 {
+	if len(unresolvedRanges) == 0 {
+		return nil
+	}
+
+	rangesBySource := make(map[string][]models.RangeWithMetadata)
+	var sources []string
+	for _, ur := range unresolvedRanges {
+		sourceStr := string(ur.Metadata.Source)
+		if _, ok := rangesBySource[sourceStr]; !ok {
+			sources = append(sources, sourceStr)
+		}
+		rangesBySource[sourceStr] = append(rangesBySource[sourceStr], ur)
+	}
+
+	slices.Sort(sources)
+
+	listElements := make([]any, 0, len(sources))
+
+	for _, source := range sources {
+		ranges := rangesBySource[source]
 		cpes := []string{}
 		unresolvedRangesMap := make(map[string]any)
 		var events []*osvschema.Event
+
 		// Create a range from all those with CPEs
-		for _, ur := range unresolvedRanges {
+		for _, ur := range ranges {
 			if ur.Metadata.CPE != "" {
 				cpes = append(cpes, ur.Metadata.CPE)
 			}
 			urEvents := ur.Range.GetEvents()
 
 			for _, e := range urEvents {
-				if e.Introduced != "0" && e.Introduced != "" {
+				if e.GetIntroduced() != "0" && e.GetIntroduced() != "" {
 					events = append(events, e)
 					continue
 				}
-				if e.LastAffected != "" {
+				if e.GetLastAffected() != "" {
 					events = append(events, e)
 					continue
 				}
-				if e.Fixed != "" {
+				if e.GetFixed() != "" {
 					events = append(events, e)
 				}
 			}
 		}
 
+		metadata := make(map[string]any)
 		if len(cpes) > 1 {
 			slices.Sort(cpes)
 			cpes = slices.Compact(cpes)
-			unresolvedRangesMap["metadata"] = map[string]any{
-				"cpes": cpes,
-			}
+			metadata["cpes"] = cpes
 		} else if len(cpes) == 1 {
-			unresolvedRangesMap["metadata"] = map[string]any{
-				"cpe": cpes[0],
-			}
+			metadata["cpe"] = cpes[0]
 		}
 
-		unresolvedRangesMap["versions"] = events
+		if source != "" {
+			metadata["source"] = source
+		}
 
-		ds, err := utility.NewStructpbFromMap(map[string]any{
-			"list": []any{unresolvedRangesMap},
-		})
-		if err != nil {
-			logger.Warn("failed to convert unresolved ranges to structpb", "err", err)
-			return nil
+		if len(metadata) > 0 {
+			unresolvedRangesMap["metadata"] = metadata
 		}
 
-		return ds.GetFields()["list"].GetListValue()
+		unresolvedRangesMap["versions"] = events
+		listElements = append(listElements, unresolvedRangesMap)
+	}
+
+	ds, err := utility.NewStructpbFromMap(map[string]any{
+		"list": listElements,
+	})
+	if err != nil {
+		logger.Warn("failed to convert unresolved ranges to structpb", "err", err)
+		return nil
 	}
 
-	return nil
+	return ds.GetFields()["list"].GetListValue()
 }
 
 func AddFieldToDatabaseSpecific(ds *structpb.Struct, field string, value any) error {

vulnfeeds/conversion/cve5/common.go

@@ -6,7 +6,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/google/osv/vulnfeeds/conversion"
+	c "github.com/google/osv/vulnfeeds/conversion"
 	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/vulns"
 	"github.com/ossf/osv-schema/bindings/go/osvschema"
@@ -53,10 +53,10 @@ func toVersionRangeType(s string) VersionRangeType {
 
 // findCPEVersionRanges extracts version ranges and CPE strings from the CNA's
 // CPE applicability statements in a CVE record.
-func findCPEVersionRanges(cve models.CVE5) (versionRanges []*osvschema.Range, cpes []string, err error) {
+func findCPEVersionRanges(cve models.CVE5) (versionRanges []models.RangeWithMetadata, cpes []string, err error) {
 	// TODO(jesslowe): Add logic to also extract CPEs from the 'affected' field (e.g., CVE-2025-1110).
-	for _, c := range cve.Containers.CNA.CPEApplicability {
-		for _, node := range c.Nodes {
+	for _, cpe := range cve.Containers.CNA.CPEApplicability {
+		for _, node := range cpe.Nodes {
 			if node.Operator != "OR" {
 				continue
 			}
@@ -70,11 +70,14 @@ func findCPEVersionRanges(cve models.CVE5) (versionRanges []*osvschema.Range, cp
 				if match.VersionStartIncluding == "" {
 					match.VersionStartIncluding = "0"
 				}
-
+				var nr []*osvschema.Range
 				if match.VersionEndExcluding != "" {
-					versionRanges = append(versionRanges, conversion.BuildVersionRange(match.VersionStartIncluding, "", match.VersionEndExcluding))
+					nr = append(nr, c.BuildVersionRange(match.VersionStartIncluding, "", match.VersionEndExcluding))
 				} else if match.VersionEndIncluding != "" {
-					versionRanges = append(versionRanges, conversion.BuildVersionRange(match.VersionStartIncluding, match.VersionEndIncluding, ""))
+					nr = append(nr, c.BuildVersionRange(match.VersionStartIncluding, match.VersionEndIncluding, ""))
+				}
+				if nr != nil {
+					versionRanges = append(versionRanges, c.ToRangeWithMetadata(nr, models.VersionSourceCPE)...)
 				}
 			}
 		}
@@ -98,8 +101,8 @@ func compareSemverLike(a, b string) int {
 		// We ignore the error, so non-numeric parts default to 0.
 		numA, _ := strconv.Atoi(partsA[i])
 		numB, _ := strconv.Atoi(partsB[i])
-		if c := cmp.Compare(numA, numB); c != 0 {
-			return c
+		if v := cmp.Compare(numA, numB); v != 0 {
+			return v
 		}
 	}
 	// If lengths are the same, they're equal.

vulnfeeds/conversion/cve5/default_extractor.go

@@ -15,8 +15,8 @@ import (
 // DefaultVersionExtractor provides the default version extraction logic.
 type DefaultVersionExtractor struct{}
 
-func (d *DefaultVersionExtractor) handleAffected(affected []models.Affected, metrics *models.ConversionMetrics) []*osvschema.Range {
-	var ranges []*osvschema.Range
+func (d *DefaultVersionExtractor) handleAffected(affected []models.Affected, metrics *models.ConversionMetrics) []models.RangeWithMetadata {
+	var ranges []models.RangeWithMetadata
 	for _, cveAff := range affected {
 		versionRanges, _ := d.FindNormalAffectedRanges(cveAff, metrics)
 
@@ -56,9 +56,8 @@ func (d *DefaultVersionExtractor) ExtractVersions(cve models.CVE5, v *vulns.Vuln
 		return true
 	}
 
-	
 	if len(ranges) != 0 {
-		if processRanges(c.ToRangeWithMetadata(ranges)) {
+		if processRanges(ranges) {
 			gotVersions = true
 			metrics.SetOutcome(models.Successful)
 		}
@@ -69,7 +68,7 @@ func (d *DefaultVersionExtractor) ExtractVersions(cve models.CVE5, v *vulns.Vuln
 		versionRanges, _ := cpeVersionExtraction(cve, metrics)
 
 		if len(versionRanges) != 0 {
-			if processRanges(c.ToRangeWithMetadata(versionRanges)) {
+			if processRanges(versionRanges) {
 				gotVersions = true
 			}
 		}
@@ -99,13 +98,13 @@ func (d *DefaultVersionExtractor) ExtractVersions(cve models.CVE5, v *vulns.Vuln
 	}
 }
 
-func (d *DefaultVersionExtractor) FindNormalAffectedRanges(affected models.Affected, metrics *models.ConversionMetrics) ([]*osvschema.Range, VersionRangeType) {
+func (d *DefaultVersionExtractor) FindNormalAffectedRanges(affected models.Affected, metrics *models.ConversionMetrics) ([]models.RangeWithMetadata, VersionRangeType) {
 	versionTypesCount := make(map[VersionRangeType]int)
-	var versionRanges []*osvschema.Range
+	var versionRanges []models.RangeWithMetadata
 	for _, vers := range affected.Versions {
 		ranges, _, shouldContinue := initialNormalExtraction(vers, metrics, versionTypesCount)
 		if len(ranges) > 0 {
-			versionRanges = append(versionRanges, ranges...)
+			versionRanges = append(versionRanges, c.ToRangeWithMetadata(ranges, models.VersionSourceAffected)...)
 		}
 
 		if shouldContinue {
@@ -121,11 +120,16 @@ func (d *DefaultVersionExtractor) FindNormalAffectedRanges(affected models.Affec
 			if av.Introduced == "" {
 				continue
 			}
+
 			if av.Fixed != "" {
-				versionRanges = append(versionRanges, c.BuildVersionRange(av.Introduced, "", av.Fixed))
+				vr := []*osvschema.Range{c.BuildVersionRange(av.Introduced, "", av.Fixed)}
+				versionRanges = append(versionRanges, c.ToRangeWithMetadata(vr, models.VersionSourceAffected)...)
+
 				continue
 			} else if av.LastAffected != "" {
-				versionRanges = append(versionRanges, c.BuildVersionRange(av.Introduced, av.LastAffected, ""))
+				vr := []*osvschema.Range{c.BuildVersionRange(av.Introduced, av.LastAffected, "")}
+				versionRanges = append(versionRanges, c.ToRangeWithMetadata(vr, models.VersionSourceAffected)...)
+
 				continue
 			}
 		}
@@ -140,7 +144,8 @@ func (d *DefaultVersionExtractor) FindNormalAffectedRanges(affected models.Affec
 
 		// As a fallback, assume a single version means it's the last affected version.
 		if vulns.CheckQuality(vers.Version).AtLeast(acceptableQuality) {
-			versionRanges = append(versionRanges, c.BuildVersionRange("0", vers.Version, ""))
+			vr := []*osvschema.Range{c.BuildVersionRange("0", vers.Version, "")}
+			versionRanges = append(versionRanges, c.ToRangeWithMetadata(vr, models.VersionSourceAffected)...)
 			metrics.AddNote("Single version found %v - Assuming introduced = 0 and last affected = %v", vers.Version, vers.Version)
 		}
 	}
@@ -156,4 +161,4 @@ func (d *DefaultVersionExtractor) FindNormalAffectedRanges(affected models.Affec
 	}
 
 	return versionRanges, mostFrequentVersionType
-}
+}

vulnfeeds/conversion/cve5/extraction.go

@@ -3,13 +3,12 @@ package cve5
 import (
 	"github.com/google/osv/vulnfeeds/models"
 	"github.com/google/osv/vulnfeeds/vulns"
-	"github.com/ossf/osv-schema/bindings/go/osvschema"
 )
 
 // VersionExtractor defines the interface for different version extraction strategies.
 type VersionExtractor interface {
 	ExtractVersions(cve models.CVE5, v *vulns.Vulnerability, metrics *models.ConversionMetrics, repos []string)
-	FindNormalAffectedRanges(affected models.Affected, metrics *models.ConversionMetrics) ([]*osvschema.Range, VersionRangeType)
+	FindNormalAffectedRanges(affected models.Affected, metrics *models.ConversionMetrics) ([]models.RangeWithMetadata, VersionRangeType)
 }
 
 // GetVersionExtractor returns the appropriate VersionExtractor for a given CNA.

vulnfeeds/conversion/cve5/linux_extractor.go

@@ -6,8 +6,9 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/google/osv/vulnfeeds/conversion"
+	c "github.com/google/osv/vulnfeeds/conversion"
 	"github.com/google/osv/vulnfeeds/models"
+	"github.com/google/osv/vulnfeeds/utility/logger"
 	"github.com/google/osv/vulnfeeds/vulns"
 	"github.com/ossf/osv-schema/bindings/go/osvconstants"
 	"github.com/ossf/osv-schema/bindings/go/osvschema"
@@ -30,7 +31,11 @@ func (l *LinuxVersionExtractor) handleAffected(v *vulns.Vulnerability, affected
 		if cveAff.DefaultStatus == "affected" {
 			versionRanges, versionType = findInverseAffectedRanges(cveAff, metrics)
 		} else {
-			versionRanges, versionType = l.FindNormalAffectedRanges(cveAff, metrics)
+			var versionRangesWithMetadata []models.RangeWithMetadata
+			versionRangesWithMetadata, versionType = l.FindNormalAffectedRanges(cveAff, metrics)
+			for _, r := range versionRangesWithMetadata {
+				versionRanges = append(versionRanges, r.Range)
+			}
 		}
 		if (versionType == VersionRangeTypeGit && hasGit) || len(versionRanges) == 0 {
 			continue
@@ -43,7 +48,7 @@ func (l *LinuxVersionExtractor) handleAffected(v *vulns.Vulnerability, affected
 		}
 		aff := createLinuxAffected(versionRanges, versionType, cveAff.Repo)
 		metrics.AddSource(models.VersionSourceAffected)
-		conversion.AddAffected(v, aff, metrics)
+		c.AddAffected(v, aff, metrics)
 	}
 
 	return gotVersions
@@ -55,10 +60,16 @@ func (l *LinuxVersionExtractor) ExtractVersions(cve models.CVE5, v *vulns.Vulner
 
 	if !gotVersions {
 		metrics.AddNote("No versions in affected, attempting to extract from CPE")
-		versionRanges, _ := cpeVersionExtraction(cve, metrics)
-
+		versionRanges, err := cpeVersionExtraction(cve, metrics)
+		if err != nil {
+			logger.Warn("Error when extracting CPE versions")
+		}
 		if len(versionRanges) != 0 {
-			aff := createLinuxAffected(versionRanges, VersionRangeTypeEcosystem, "")
+			var ranges []*osvschema.Range
+			for _, r := range versionRanges {
+				ranges = append(ranges, r.Range)
+			}
+			aff := createLinuxAffected(ranges, VersionRangeTypeEcosystem, "")
 			v.Affected = append(v.Affected, aff)
 		}
 	}
@@ -136,7 +147,7 @@ func findInverseAffectedRanges(cveAff models.Affected, metrics *models.Conversio
 	// Create ranges by pairing sorted introduced and fixed versions.
 	for index, f := range fixed {
 		if index < len(introduced) {
-			ranges = append(ranges, conversion.BuildVersionRange(introduced[index], "", f))
+			ranges = append(ranges, c.BuildVersionRange(introduced[index], "", f))
 			metrics.AddNote("Introduced from version value - %s", introduced[index])
 			metrics.AddNote("Fixed from version value - %s", f)
 		}
@@ -150,12 +161,12 @@ func findInverseAffectedRanges(cveAff models.Affected, metrics *models.Conversio
 	return nil, VersionRangeTypeUnknown
 }
 
-func (l *LinuxVersionExtractor) FindNormalAffectedRanges(affected models.Affected, metrics *models.ConversionMetrics) ([]*osvschema.Range, VersionRangeType) {
+func (l *LinuxVersionExtractor) FindNormalAffectedRanges(affected models.Affected, metrics *models.ConversionMetrics) ([]models.RangeWithMetadata, VersionRangeType) {
 	versionTypesCount := make(map[VersionRangeType]int)
-	var versionRanges []*osvschema.Range
+	var versionRanges []models.RangeWithMetadata
 	for _, vers := range affected.Versions {
 		ranges, currentVersionType, shouldContinue := initialNormalExtraction(vers, metrics, versionTypesCount)
-		versionRanges = append(versionRanges, ranges...)
+		versionRanges = append(versionRanges, c.ToRangeWithMetadata(ranges, models.VersionSourceAffected)...)
 		if shouldContinue {
 			continue
 		}
@@ -165,13 +176,16 @@ func (l *LinuxVersionExtractor) FindNormalAffectedRanges(affected models.Affecte
 		metrics.AddNote("Only version exists")
 
 		if currentVersionType == VersionRangeTypeGit {
-			versionRanges = append(versionRanges, conversion.BuildVersionRange(vers.Version, "", ""))
+			vr := []*osvschema.Range{c.BuildVersionRange(vers.Version, "", "")}
+			versionRanges = append(versionRanges, c.ToRangeWithMetadata(vr, models.VersionSourceGit)...)
+
 			continue
 		}
 
 		// As a fallback, assume a single version means it's the last affected version.
 		if vulns.CheckQuality(vers.Version).AtLeast(acceptableQuality) {
-			versionRanges = append(versionRanges, conversion.BuildVersionRange("0", vers.Version, ""))
+			vr := []*osvschema.Range{c.BuildVersionRange("0", vers.Version, "")}
+			versionRanges = append(versionRanges, c.ToRangeWithMetadata(vr, models.VersionSourceAffected)...)
 			metrics.AddNote("Single version found %v - Assuming introduced = 0 and last affected = %v", vers.Version, vers.Version)
 		}
 	}

vulnfeeds/conversion/cve5/strategies.go

@@ -7,7 +7,7 @@ import (
 	"github.com/ossf/osv-schema/bindings/go/osvschema"
 )
 
-func cpeVersionExtraction(cve models.CVE5, metrics *models.ConversionMetrics) ([]*osvschema.Range, error) {
+func cpeVersionExtraction(cve models.CVE5, metrics *models.ConversionMetrics) ([]models.RangeWithMetadata, error) {
 	cpeRanges, cpeStrings, err := findCPEVersionRanges(cve)
 	if err == nil && len(cpeRanges) > 0 {
 		metrics.VersionSources = append(metrics.VersionSources, models.VersionSourceCPE)

vulnfeeds/conversion/cve5/version_extraction_test.go

@@ -114,7 +114,11 @@ func TestFindNormalAffectedRanges(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			versionExtractor := &DefaultVersionExtractor{}
-			gotRanges, gotRangeType := versionExtractor.FindNormalAffectedRanges(tt.affected, &models.ConversionMetrics{})
+			gotRangesWithMeta, gotRangeType := versionExtractor.FindNormalAffectedRanges(tt.affected, &models.ConversionMetrics{})
+			var gotRanges []*osvschema.Range
+			for _, r := range gotRangesWithMeta {
+				gotRanges = append(gotRanges, r.Range)
+			}
 			if diff := cmp.Diff(tt.wantRanges, gotRanges, protocmp.Transform()); diff != "" {
 				t.Errorf("findNormalAffectedRanges() ranges mismatch (-want +got):\n%s", diff)
 			}