Add support for OSV code fix commit collection

ziadhany · ziadhany · commit 9a4580c607b1 · 2025-11-17T16:54:34.000+02:00
Signed-off-by: ziad hany &lt;ziadhany2016@gmail.com&gt;
diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py
@@ -25,6 +25,7 @@
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import CodeCommitData
 from vulnerabilities.importer import Reference
 from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
@@ -132,7 +133,8 @@ def parse_advisory_data_v2(
     references = get_references_v2(raw_data=raw_data)
 
     affected_packages = []
-
+    fixed_by_commits = []
+    affected_by_commits = []
     for affected_pkg in raw_data.get("affected") or []:
         purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=advisory_id)
 
@@ -154,6 +156,10 @@ def parse_advisory_data_v2(
             )
             fixed_versions.extend([v.string for v in fixed_version])
 
+            introduced_commits, fixed_commits = get_code_commit(fixed_range, raw_id=advisory_id)
+            fixed_by_commits.extend(fixed_commits)
+            affected_by_commits.extend(introduced_commits)
+
         fixed_version_range = (
             get_fixed_version_range(fixed_versions, purl.type) if fixed_versions else None
         )
@@ -183,6 +189,8 @@ def parse_advisory_data_v2(
         affected_packages=affected_packages,
         date_published=date_published,
         weaknesses=weaknesses,
+        fixed_by_commits=fixed_by_commits,
+        affected_by_commits=affected_by_commits,
         url=advisory_url,
         original_advisory_text=advisory_text or json.dumps(raw_data, indent=2, ensure_ascii=False),
     )
@@ -208,6 +216,17 @@ def extract_fixed_versions(fixed_range) -> Iterable[str]:
             yield fixed
 
 
+def extract_commits(introduced_range) -> Iterable[str]:
+    """
+    Return a list of fixed version strings given a ``fixed_range`` mapping of
+    OSV data.
+    """
+    for event in introduced_range.get("events") or []:
+        introduced = event.get("introduced")
+        fixed = event.get("fixed")
+        yield introduced, fixed
+
+
 def get_published_date(raw_data):
     published = raw_data.get("published")
     return published and dateparser.parse(date_string=published)
@@ -398,11 +417,49 @@ def get_fixed_versions(fixed_range, raw_id, supported_ecosystem) -> List[Version
                 fixed_versions.append(SemverVersion(version))
             except InvalidVersion:
                 logger.error(f"Invalid SemverVersion: {version!r} for OSV id: {raw_id!r}")
+
+        if fixed_range_type == "GIT":
+            # We process this in the get_code_commit function.
+            continue
         else:
             logger.error(f"Unsupported fixed version type: {version!r} for OSV id: {raw_id!r}")
 
-        # if fixed_range_type == "GIT":
-        # TODO add GitHubVersion univers fix_version
-        #     logger.error(f"NotImplementedError GIT Version - {raw_id !r} - {i !r}")
-
     return dedupe(fixed_versions)
+
+
+def get_code_commit(ranges, raw_id):
+    """
+    Return two lists of unique code commits (introduced and fixed) extracted from a
+    given vulnerability `ranges` dictionary.
+    """
+    if ranges.get("type") != "GIT":
+        logger.debug(f"Skipping non-GIT range for OSV id: {raw_id!r}")
+        return [], []
+
+    repo = ranges.get("repo")
+    if not repo:
+        logger.error(f"Missing 'repo' field in range: {ranges} (OSV id: {raw_id!r})")
+        return [], []
+
+    repo = ranges.get("repo")
+    introduced_commits, fixed_commits = [], []
+    for introduced, fixed in extract_commits(ranges):
+        # Git uses this magic hash for the empty tree
+        if introduced == "0":
+            introduced = "4b825dc642cb6eb9a060e54bf8d69288fbee4904"
+
+        try:
+            if introduced:
+                introduced_commit = CodeCommitData(commit_hash=introduced, vcs_url=repo)
+                introduced_commits.append(introduced_commit)
+        except ValueError as e:
+            logger.error(f"Failed to extract introduced commits: {e!r}")
+
+        try:
+            if fixed:
+                fixed_commit = CodeCommitData(commit_hash=fixed, vcs_url=repo)
+                fixed_commits.append(fixed_commit)
+        except ValueError as e:
+            logger.error(f"Failed to extract fixed commits: {e!r}")
+
+    return introduced_commits, fixed_commits
diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_github_osv_importer_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_github_osv_importer_v2.py
@@ -13,6 +13,7 @@
 import pytest
 
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import CodeCommitData
 from vulnerabilities.pipelines.v2_importers.github_osv_importer import GithubOSVImporterPipeline
 
 
@@ -27,7 +28,23 @@ def sample_osv_advisory(tmp_path: Path):
             {
                 "package": {"name": "sample", "ecosystem": "pypi"},
                 "ranges": [
-                    {"type": "ECOSYSTEM", "events": [{"introduced": "1.0.0"}, {"fixed": "1.2.0"}]}
+                    {"type": "ECOSYSTEM", "events": [{"introduced": "1.0.0"}, {"fixed": "1.2.0"}]},
+                    {
+                        "type": "GIT",
+                        "repo": "https://github.com/aboutcode-org/vulnerablecode",
+                        "events": [
+                            {"introduced": "0"},
+                            {"fixed": "10081dd502dcfc0953de333fe8afb399db5f2a88"},
+                        ],
+                    },
+                    {
+                        "type": "GIT",
+                        "repo": "https://github.com/aboutcode-org/vulnerablecode",
+                        "events": [
+                            {"introduced": "b58c68c38a9de451818bac6c96d08d61e7f348a2"},
+                            {"fixed": "61621982593152c47b520ce893eb90c332427483"},
+                        ],
+                    },
                 ],
                 "versions": ["1.0.0", "1.1.0"],
             }
@@ -67,3 +84,36 @@ def delete(self):
     assert advisory.original_advisory_text.strip().startswith("{")
     assert advisory.affected_packages
     assert advisory.affected_packages[0].package.type == "pypi"
+    assert advisory.affected_by_commits == [
+        CodeCommitData(
+            commit_hash="4b825dc642cb6eb9a060e54bf8d69288fbee4904",
+            vcs_url="https://github.com/aboutcode-org/vulnerablecode",
+            commit_author=None,
+            commit_message=None,
+            commit_date=None,
+        ),
+        CodeCommitData(
+            commit_hash="b58c68c38a9de451818bac6c96d08d61e7f348a2",
+            vcs_url="https://github.com/aboutcode-org/vulnerablecode",
+            commit_author=None,
+            commit_message=None,
+            commit_date=None,
+        ),
+    ]
+
+    assert advisory.fixed_by_commits == [
+        CodeCommitData(
+            commit_hash="10081dd502dcfc0953de333fe8afb399db5f2a88",
+            vcs_url="https://github.com/aboutcode-org/vulnerablecode",
+            commit_author=None,
+            commit_message=None,
+            commit_date=None,
+        ),
+        CodeCommitData(
+            commit_hash="61621982593152c47b520ce893eb90c332427483",
+            vcs_url="https://github.com/aboutcode-org/vulnerablecode",
+            commit_author=None,
+            commit_message=None,
+            commit_date=None,
+        ),
+    ]
diff --git a/vulnerabilities/tests/test_osv.py b/vulnerabilities/tests/test_osv.py
@@ -15,11 +15,13 @@
 from univers.versions import PypiVersion
 from univers.versions import SemverVersion
 
+from vulnerabilities.importer import CodeCommitData
 from vulnerabilities.importer import Reference
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.importers.osv import extract_fixed_versions as fixed_filter
 from vulnerabilities.importers.osv import get_affected_purl
 from vulnerabilities.importers.osv import get_affected_version_range
+from vulnerabilities.importers.osv import get_code_commit
 from vulnerabilities.importers.osv import get_fixed_versions
 from vulnerabilities.importers.osv import get_published_date
 from vulnerabilities.importers.osv import get_references
@@ -70,6 +72,67 @@ def test_fixed_filter3(self):
         )
         assert results == ["1.5.0", "9.0g0", "10.8"]
 
+    def test_code_commit_filter(self):
+        results = get_code_commit(
+            ranges={
+                "type": "GIT",
+                "repo": "https://github.com/aboutcode-org/vulnerablecode",
+                "events": [
+                    {"introduced": "0"},
+                    {"fixed": "a8ec9f1f300dc87f24e0f0a426a5c67c0b1b32d7"},
+                ],
+            },
+            raw_id="GHSA-j3f7-7rmc-6wqj",
+        )
+
+        assert results == (
+            [
+                CodeCommitData(
+                    commit_hash="4b825dc642cb6eb9a060e54bf8d69288fbee4904",
+                    vcs_url="https://github.com/aboutcode-org/vulnerablecode",
+                    commit_author=None,
+                    commit_message=None,
+                    commit_date=None,
+                )
+            ],
+            [
+                CodeCommitData(
+                    commit_hash="a8ec9f1f300dc87f24e0f0a426a5c67c0b1b32d7",
+                    vcs_url="https://github.com/aboutcode-org/vulnerablecode",
+                    commit_author=None,
+                    commit_message=None,
+                    commit_date=None,
+                )
+            ],
+        )
+
+    def test_code_commit_invalid_filter(self):
+        results = get_code_commit(
+            ranges={
+                "type": "GIT",
+                "events": [
+                    {"introduced": "0"},
+                    {"fixed": "a8ec9f1f300dc87f24e0f0a426a5c67c0b1b32d7"},
+                ],
+            },
+            raw_id="GHSA-j3f7-7rmc-6wqj",
+        )
+
+        assert results == ([], [])  # no vcs_url
+
+        results = get_code_commit(
+            ranges={
+                "repo": "https://github.com/aboutcode-org/vulnerablecode",
+                "events": [
+                    {"introduced": "0"},
+                    {"fixed": "a8ec9f1f300dc87f24e0f0a426a5c67c0b1b32d7"},
+                ],
+            },
+            raw_id="GHSA-j3f7-7rmc-6wqj",
+        )
+
+        assert results == ([], [])  # no type
+
     def test_get_published_date1(self):
         results = get_published_date(
             raw_data={"id": "GHSA-j3f7-7rmc-6wqj", "published": "2022-01-10T14:12:00Z"}
