fix(generic parser): prevent nested list when cve and vulnerability_ids are both present#15212
Open
narvadanami wants to merge 1 commit into
Open
Conversation
…ds are both present When both 'cve' and 'vulnerability_ids' were present in generic JSON import, .append() was used instead of .extend(), causing a nested list: ['CVE-2020-36234', ['GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234']] instead of ['CVE-2020-36234', 'GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234'] Without 'cve', vulnerability_ids worked correctly via direct assignment. The bug only manifested when both fields were present simultaneously. Added test to verify flat list behavior. Updated documentation with vulnerability_ids example.
07ee5bf to
f620839
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
When both
cveandvulnerability_idswere present in generic JSON import,.append()was used instead of.extend(), causing a nested list:['CVE-2020-36234', ['GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234']]instead of['CVE-2020-36234', 'GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234'].Without
cve,vulnerability_idsworked correctly via direct assignment. The bug only manifested when both fields were present simultaneously.Fix
.append()to.extend()when mergingcveinto existingvulnerability_idsisinstance(str)protection for string-typevulnerability_ids(prevents.extend()from iterating over characters)vulnerability_idsexampleTesting
test_parse_json_with_cve_and_vulnerability_idscovering:cve+vulnerability_ids(list) → flat list of 3 itemsvulnerability_idsas string → wrapped in list