OSIDB-4929: Ignore withdrawn osv cves

[roduran-dev]

OSV_collector is failing because some CVE's don't have a details field.
Here are some Cases
https://rhcorporate.sumologic.com/log-search/create?id=KrKOonAPFb0MuA06kmYGTB4xC4fhOPqVmGBK3aPN

After some investigation all of this cases besides having no Details" field had a withdrawn field.

In an informal refinement it was agreed that maybe we should ignore this cases.

Alternative fix:

Instead of ignoring ALL cases it could just ignore the ones without Details.

Closes OSIDB-4929

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a dedicated exception class to handle withdrawn OSV vulnerabilities with metadata. Updates the extraction and collection flow to detect withdrawn entries, raise the exception, catch it, log a warning, and skip processing without affecting other exception handling.

Changes

Cohort / File(s)	Summary
Withdrawn OSV Exception Handling collectors/osv/collectors.py	Introduces OSVCollectorWithdrawnException class with osv_id, cve_ids, and withdrawn metadata. Updates extract_content() to raise this exception when OSV record contains a withdrawn value, and updates collect() to catch it, log a warning, and continue without parsing or saving.
Changelog Documentation docs/CHANGELOG.md	Documents the change under Unreleased section noting that osv_collector now ignores withdrawn items.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'OSIDB-4929: Ignore withdrawn osv cves' clearly summarizes the main change - adding handling to ignore withdrawn OSV vulnerabilities in the collector.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description explains the issue (OSV collector failing due to missing Details field), identifies withdrawn CVEs as the common factor, and indicates the agreed solution to ignore these cases.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch OSIDB-4929-osv-collector-is-failing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@collectors/osv/collectors.py`:
- Around line 167-169: The except block that catches
OSVCollectorWithdrawnException (currently logging via logger.warning and
continuing) should instead trigger reconciliation to remove or retire related
OSV snippets and any OSIDB Flaw records that are only linked to that OSV source;
update the handler in collectors.py where OSVCollectorWithdrawnException is
caught to call your existing snippet management functions (e.g., retire_snippet
or delete_snippet) and a new helper (e.g., reconcile_flaw_links) that checks
Flaw.linked_sources and deletes or marks Flaw as retired only if no other
sources remain; ensure the operation is idempotent and logged (replace the
logger.warning call with calls that perform the retire/delete and log the
actions).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4d571d4a-cfe5-4a6a-b9f9-1cded8b08ab1

📥 Commits

Reviewing files that changed from the base of the PR and between 3034401 and 99480db.

📒 Files selected for processing (2)

• collectors/osv/collectors.py
• docs/CHANGELOG.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /repo && find . -name "collectors.py" -path "*/osv/*" | head -5

Repository: RedHatProductSecurity/osidb

Length of output: 126

---

🏁 Script executed:

cd /repo && wc -l collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 126

---

🏁 Script executed:

cd /repo && sed -n '150,180p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 126

---

🏁 Script executed:

cd /repo && sed -n '280,310p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 126

---

🏁 Script executed:

cd /repo && sed -n '1,50p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 126

---

🏁 Script executed:

find . -name "collectors.py" -path "*/osv/*"

Repository: RedHatProductSecurity/osidb

Length of output: 101

---

🏁 Script executed:

wc -l collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 103

---

🏁 Script executed:

sed -n '150,180p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 1578

---

🏁 Script executed:

sed -n '280,310p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 1043

---

🏁 Script executed:

sed -n '33,50p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 593

---

🏁 Script executed:

grep -n "class OSVCollectorWithdrawnException" collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 122

---

🏁 Script executed:

grep -n "save_snippet_and_flaw" collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 271

---

🏁 Script executed:

sed -n '1,100p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 3828

---

🏁 Script executed:

sed -n '210,270p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 2925

---

🏁 Script executed:

grep -n "external_id" collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 275

---

🏁 Script executed:

grep -rn "external_id" collectors/ --include="*.py" | grep -i "osv" | head -20

Repository: RedHatProductSecurity/osidb

Length of output: 1036

---

🏁 Script executed:

grep -rn "withdrawn" . --include="*.py" | head -20

Repository: RedHatProductSecurity/osidb

Length of output: 795

---

🏁 Script executed:

grep -rn "withdrawn" collectors/osv/ --include="*.py"

Repository: RedHatProductSecurity/osidb

Length of output: 779

---

🏁 Script executed:

grep -rn "delete\|cleanup\|retire" collectors/osv/ --include="*.py" | head -20

Repository: RedHatProductSecurity/osidb

Length of output: 53

---

🏁 Script executed:

find . -name "*.md" -o -name "*.txt" -o -name "*.rst" | xargs grep -l "withdrawn\|cleanup" 2>/dev/null | head -10

Repository: RedHatProductSecurity/osidb

Length of output: 90

---

🏁 Script executed:

sed -n '140,200p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 3055

---

🏁 Script executed:

cat ./docs/CHANGELOG.md | grep -A 5 -B 5 "withdrawn"

Repository: RedHatProductSecurity/osidb

Length of output: 497

---

🏁 Script executed:

sed -n '150,160p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 650

---

🏁 Script executed:

rg "def.*collect" collectors/osv/collectors.py -A 3

Repository: RedHatProductSecurity/osidb

Length of output: 334

---

🏁 Script executed:

grep -rn "Snippet.objects" collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 228

---

🏁 Script executed:

grep -rn "delete\|remove" osidb/models.py | grep -i "snippet\|flaw" | head -10

Repository: RedHatProductSecurity/osidb

Length of output: 119

---

🏁 Script executed:

grep -rn "update_or_create" collectors/osv/collectors.py -A 2 -B 2

Repository: RedHatProductSecurity/osidb

Length of output: 706

---

🏁 Script executed:

cat collectors/osv/tests/test_collectors.py | head -100

Repository: RedHatProductSecurity/osidb

Length of output: 3440

---

🏁 Script executed:

grep -rn "class Snippet" osidb/ --include="*.py" | head -5

Repository: RedHatProductSecurity/osidb

Length of output: 235

---

🏁 Script executed:

find . -path "*/osidb/models*" -name "*.py"

Repository: RedHatProductSecurity/osidb

Length of output: 937

---

🏁 Script executed:

fd "models" osidb/ --type f -name "*.py" | head -10

Repository: RedHatProductSecurity/osidb

Length of output: 301

---

🏁 Script executed:

sed -n '1,100p' osidb/models/snippet.py

Repository: RedHatProductSecurity/osidb

Length of output: 3572

---

🏁 Script executed:

grep -A 20 "class Snippet" osidb/models/snippet.py

Repository: RedHatProductSecurity/osidb

Length of output: 718

---

🏁 Script executed:

grep -rn "source.*OSV" collectors/osv/ --include="*.py" | head -10

Repository: RedHatProductSecurity/osidb

Length of output: 301

---

🏁 Script executed:

grep -rn "external_id" osidb/models/snippet.py

Repository: RedHatProductSecurity/osidb

Length of output: 796

---

🏁 Script executed:

grep -B 5 -A 10 "withdrawn" collectors/osv/collectors.py | tail -30

Repository: RedHatProductSecurity/osidb

Length of output: 1139

---

🏁 Script executed:

grep -rn "delete\|cascade" osidb/models/snippet.py

Repository: RedHatProductSecurity/osidb

Length of output: 160

---

Remove or retire OSV snippets when records become withdrawn upstream.

When an OSV record transitions from active to withdrawn, the current code skips processing the withdrawn record but does not reconcile previously ingested snippets and their linked flaws. This leaves stale vulnerability data in OSIDB that contradicts the upstream withdrawal status. Either delete/retire matching OSV snippets (and their flaws if not linked to other sources) on detection of withdrawal, or document the intentional decision to retain historical data.

Also applies to: 291-293

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@collectors/osv/collectors.py` around lines 167 - 169, The except block that
catches OSVCollectorWithdrawnException (currently logging via logger.warning and
continuing) should instead trigger reconciliation to remove or retire related
OSV snippets and any OSIDB Flaw records that are only linked to that OSV source;
update the handler in collectors.py where OSVCollectorWithdrawnException is
caught to call your existing snippet management functions (e.g., retire_snippet
or delete_snippet) and a new helper (e.g., reconcile_flaw_links) that checks
Flaw.linked_sources and deletes or marks Flaw as retired only if no other
sources remain; ensure the operation is idempotent and logged (replace the
logger.warning call with calls that perform the retire/delete and log the
actions).