Skip to content

feat(cg/transformers): add chainguard osv transformer #3474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crosleyzack wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat(cg/transformers): add chainguard osv transformer #3474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
315cc82
feat(cg/transformers) INT-520: add chainguard osv transformer
crosleyzack May 29, 2026
1059591
use existing architecture qualifier
crosleyzack Jun 2, 2026
1972f34
add operating system to affected package handle
crosleyzack Jun 5, 2026
cc67a5b
add purl qualifier for arch and create matcher tests for arch filtering
crosleyzack Jun 5, 2026
c92ad8d
ensure syft uses purl arch enhancer
crosleyzack Jun 10, 2026
2453a78
rebase
crosleyzack Jun 17, 2026
90f5a58
remove unnecessary string conversions
crosleyzack Jun 23, 2026
0c9f5f0
respond to comments
crosleyzack Jun 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions grype/db/v6/blobs_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,13 @@ import (
"testing"
"time"

"github.com/google/go-cmp/cmp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

func asPtr[T any](v T) *T { return &v }

func TestFixAvailability_MarshalJSON(t *testing.T) {
testTime := time.Date(2022, 4, 9, 15, 30, 45, 0, time.UTC)

Expand Down Expand Up @@ -123,3 +126,70 @@ func TestFixAvailability_UnmarshalJSON_InvalidDateFormat(t *testing.T) {
assert.Contains(t, err.Error(), `unable to parse date "invalid-date"`)
assert.Contains(t, err.Error(), "expected format YYYY-MM-DD or RFC3339")
}

// TestPackageQualifiers_RoundTrip locks in the JSON shape of PackageQualifiers.
//
// Field-level coverage matters because PackageQualifiers is persisted into the
// blob store as JSON: a stray rename or json-tag drift would silently corrupt
// every advisory's qualifiers when the build picks the new schema up. The
// `omitempty` behavior is also load-bearing — every qualifier field is a
// pointer/slice so that absent qualifiers produce a minimal blob.
func TestPackageQualifiers_RoundTrip(t *testing.T) {
tests := []struct {
name string
input PackageQualifiers
wantJSON string
}{
{
name: "all fields nil produces empty object",
input: PackageQualifiers{},
wantJSON: `{}`,
},
{
name: "architecture only",
input: PackageQualifiers{
Architecture: asPtr("x86_64"),
},
wantJSON: `{"architecture":"x86_64"}`,
},
{
name: "architecture aarch64",
input: PackageQualifiers{
Architecture: asPtr("aarch64"),
},
wantJSON: `{"architecture":"aarch64"}`,
},
{
name: "architecture src sentinel",
input: PackageQualifiers{
Architecture: asPtr("src"),
},
wantJSON: `{"architecture":"src"}`,
},
{
name: "full qualifier set",
input: PackageQualifiers{
RpmModularity: asPtr("nodejs:16"),
PlatformCPEs: []string{"cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*"},
RootIO: asPtr(true),
Architecture: asPtr("aarch64"),
},
wantJSON: `{"rpm_modularity":"nodejs:16","platform_cpes":["cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*"],"rootio":true,"architecture":"aarch64"}`,
},
}

for _, testToRun := range tests {
test := testToRun
t.Run(test.name, func(t *testing.T) {
data, err := json.Marshal(test.input)
require.NoError(t, err)
assert.JSONEq(t, test.wantJSON, string(data))

var got PackageQualifiers
require.NoError(t, json.Unmarshal(data, &got))
if diff := cmp.Diff(test.input, got); diff != "" {
t.Errorf("PackageQualifiers round-trip mismatch (-want +got):\n%s", diff)
}
})
}
}
123 changes: 123 additions & 0 deletions grype/db/v6/build/transformers/osv/testdata/CGA-224q-ccj5-2p53.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
{
"schema_version": "1.7.0",
"id": "CGA-224q-ccj5-2p53",
"published": "2026-01-07T00:00:00Z",
"modified": "2026-01-07T00:00:00Z",
"summary": "HAProxy: HTTP request smuggling via malformed header",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
],
"upstream": [
"CVE-2025-32464",
"GHSA-frg5-h47x-75j9"
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32464"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-frg5-h47x-75j9"
}
],
"affected": [
{
"package": {
"ecosystem": "Chainguard",
"name": "haproxy-2.2",
"purl": "pkg:apk/chainguard/haproxy-2.2?arch=x86_64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.34-r0"
}
]
}
],
"ecosystem_specific": {
"components": [
{
"advisory_id": "CGA-224q-ccj5-0001",
"component_name": "haproxy",
"component_version": "2.2.33",
"component_type": "apk",
"component_location": "/usr/sbin/haproxy",
"component_purl": "pkg:apk/chainguard/haproxy@2.2.33",
"status": "fixed",
"note": "Upgraded to 2.2.34"
}
]
}
},
{
"package": {
"ecosystem": "Chainguard",
"name": "haproxy-2.8",
"purl": "pkg:apk/chainguard/haproxy-2.8?arch=x86_64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.18-r0"
}
]
}
]
},
{
"package": {
"ecosystem": "Wolfi",
"name": "haproxy-3.0",
"purl": "pkg:apk/wolfi/haproxy-3.0?arch=aarch64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.10-r0"
}
]
}
]
},
{
"package": {
"ecosystem": "Wolfi",
"name": "haproxy-3.1",
"purl": "pkg:apk/wolfi/haproxy-3.1"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.7-r0"
}
]
}
]
}
]
}
112 changes: 112 additions & 0 deletions grype/db/v6/build/transformers/osv/testdata/CGA-22hv-wp9q-4779.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
{
"schema_version": "1.7.0",
"id": "CGA-22hv-wp9q-4779",
"published": "2026-02-24T13:07:08Z",
"modified": "2026-02-24T13:07:08Z",
"summary": "Langfuse: Information disclosure via insecure session handling",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"upstream": [
"CVE-2026-24398",
"GHSA-r354-f388-2fhh"
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24398"
}
],
"affected": [
{
"package": {
"ecosystem": "Chainguard",
"name": "langfuse-3-worker",
"purl": "pkg:apk/chainguard/langfuse-3-worker?arch=x86_64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.153.0-r0"
}
]
}
],
"ecosystem_specific": {
"components": [
{
"advisory_id": "CGA-22hv-wp9q-0001",
"component_name": "langfuse-core",
"component_version": "3.152.0",
"component_type": "npm",
"component_location": "/app/node_modules/langfuse-core",
"component_purl": "pkg:npm/langfuse-core@3.152.0",
"status": "fixed",
"note": "Updated in 3.153.0-r0"
}
]
}
},
{
"package": {
"ecosystem": "Chainguard",
"name": "langfuse-fips-3-worker",
"purl": "pkg:apk/chainguard/langfuse-fips-3-worker?arch=x86_64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.152.0-r0"
}
]
}
],
"ecosystem_specific": {
"components": [
{
"advisory_id": "CGA-22hv-wp9q-0002",
"component_name": "langfuse-core",
"component_version": "3.151.0",
"component_type": "npm",
"component_location": "/app/node_modules/langfuse-core",
"component_purl": "pkg:npm/langfuse-core@3.151.0",
"status": "fixed"
}
]
}
},
{
"package": {
"ecosystem": "Wolfi",
"name": "langfuse-3-worker",
"purl": "pkg:apk/wolfi/langfuse-3-worker?arch=aarch64"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.153.0-r0"
}
]
}
]
}
]
}
Loading