osv: use an empty SEMVER range to indicate everything is affected
As dictated by the specification, rather than just an empty "affects"
struct as we did previously.
Change-Id: I3e9c2224039003ea900d1b787fdeaf7b9b95f999
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/336729
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Vulndb-Deploy: Roland Shoemaker <bracewell@google.com>
diff --git a/osv/json.go b/osv/json.go
index 8e19f9a..c634d98 100644
--- a/osv/json.go
+++ b/osv/json.go
@@ -55,8 +55,8 @@
type AffectsRange struct {
Type AffectsRangeType `json:"type"`
- Introduced string `json:"introduced"`
- Fixed string `json:"fixed"`
+ Introduced string `json:"introduced,omitempty"`
+ Fixed string `json:"fixed,omitempty"`
}
// addSemverPrefix adds a 'v' prefix to s if it isn't already prefixed
@@ -103,6 +103,12 @@
Fixed: removeSemverPrefix(v.Fixed),
})
}
+ if len(a.Ranges) == 0 {
+ // If all versions are affected, as indicated by an empty versions slice,
+ // we need to include an empty TypeSemver AffectsRange in the JSON
+ // output.
+ a.Ranges = append(a.Ranges, AffectsRange{Type: TypeSemver})
+ }
return a
}
diff --git a/osv/json_test.go b/osv/json_test.go
index ae0d69b..c306db0 100644
--- a/osv/json_test.go
+++ b/osv/json_test.go
@@ -143,6 +143,13 @@
want: true,
},
{
+ // Affects containing an empty SEMVER range also indicates
+ // everything is affected
+ affects: Affects{Ranges: []AffectsRange{{Type: TypeSemver}}},
+ version: "v0.0.0",
+ want: true,
+ },
+ {
// v1.0.0 < v2.0.0
affects: Affects{
Ranges: []AffectsRange{