Update OSV script to ingest CodeCommit even if the package is not supported

ziadhany · ziadhany · commit b67dd44d76d4 · 2025-11-17T16:54:35.000+02:00
Signed-off-by: ziad hany &lt;ziadhany2016@gmail.com&gt;
diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py
@@ -139,21 +139,21 @@ def parse_advisory_data_v2(
     for affected_pkg in raw_data.get("affected") or []:
         purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=advisory_id)
 
-        if not purl or purl.type not in supported_ecosystems:
-            logger.error(f"Unsupported package type: {affected_pkg!r} in OSV: {advisory_id!r}")
-            continue
-
-        affected_version_range = get_affected_version_range(
-            affected_pkg=affected_pkg,
-            raw_id=advisory_id,
-            supported_ecosystem=purl.type,
-        )
+        affected_version_range = None
+        if purl and purl.type not in supported_ecosystems:
+            affected_version_range = get_affected_version_range(
+                affected_pkg=affected_pkg,
+                raw_id=advisory_id,
+                supported_ecosystem=purl.type,
+            )
 
         fixed_versions = []
         fixed_version_range = None
         for fixed_range in affected_pkg.get("ranges") or []:
             fixed_version, (introduced_commits, fixed_commits) = get_fixed_versions_and_commits(
-                ranges=fixed_range, raw_id=advisory_id, supported_ecosystem=purl.type
+                ranges=fixed_range,
+                raw_id=advisory_id,
+                supported_ecosystem=purl.type if purl else None,
             )
             fixed_versions.extend([v.string for v in fixed_version])
 
@@ -164,6 +164,10 @@ def parse_advisory_data_v2(
             get_fixed_version_range(fixed_versions, purl.type) if fixed_versions else None
         )
 
+        if not purl or purl.type not in supported_ecosystems:
+            logger.error(f"Unsupported package type: {purl!r} in OSV: {advisory_id!r}")
+            continue
+
         if fixed_version_range or affected_version_range:
             affected_packages.append(
                 AffectedPackageV2(
@@ -354,7 +358,7 @@ def get_affected_version_range(affected_pkg, raw_id, supported_ecosystem):
             return RANGE_CLASS_BY_SCHEMES[supported_ecosystem].from_versions(affected_versions)
         except Exception as e:
             logger.error(
-                f"Invalid VersionRange  for affected_pkg: {affected_pkg} "
+                f"Invalid VersionRange for affected_pkg: {affected_versions} "
                 f"for OSV id: {raw_id!r}: error:{e!r}"
             )
 
@@ -397,7 +401,7 @@ def get_fixed_versions_and_commits(
     version_class = version_range_class.version_class if version_range_class else None
 
     for introduced, fixed in extract_introduced_and_fixed(ranges):
-        if fixed_range_type == "ECOSYSTEM" and fixed:
+        if fixed_range_type == "ECOSYSTEM" and fixed and supported_ecosystem:
             try:
                 if not version_class:
                     raise InvalidVersion(
@@ -409,7 +413,7 @@ def get_fixed_versions_and_commits(
                     f"Invalid version class: {version_class} - {fixed!r} for OSV id: {raw_id!r}"
                 )
 
-        elif fixed_range_type == "SEMVER" and fixed:
+        elif fixed_range_type == "SEMVER" and fixed and supported_ecosystem:
             try:
                 fixed_versions.append(SemverVersion(fixed))
             except InvalidVersion:
