fix: Gentoo GLSA data embeds the package SLOT directly in the version#2376
Open
singlaamitesh wants to merge 1 commit into
Open
fix: Gentoo GLSA data embeds the package SLOT directly in the version#2376singlaamitesh wants to merge 1 commit into
singlaamitesh wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1921
Summary
Gentoo GLSA data embeds the package SLOT directly in the version text (e.g. '6.9.3:6' or '3.24.48:3'), which univers.versions.GentooVersion cannot parse since a colon isn't valid Gentoo version syntax; this caused affected/safe versions to be silently dropped (previously caught by an existing try/except, masking the real bug of empty affected_packages). Fixed both the legacy and v2 Gentoo importers to strip the ':' suffix before constructing GentooVersion, and added regression tests using a real GLSA (qtsvg, 202511-03) fetched from the upstream glsa.git repo that reproduces the issue.
Changes
vulnerabilities/importers/gentoo.pyvulnerabilities/pipelines/v2_importers/gentoo_importer.pyvulnerabilities/tests/test_gentoo.pyvulnerabilities/tests/pipelines/v2_importers/test_gentoo_importer_v2.pyvulnerabilities/tests/test_data/gentoo/glsa-202511-03.xmlvulnerabilities/tests/test_data/gentoo/glsa-202511-03-expected.jsonvulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03.xmlvulnerabilities/tests/test_data/gentoo_v2/glsa-202511-03-expected.jsonHow this was tested
Ran
the affected testslocally.