Skip to content

OSIDB-4929: Ignore withdrawn osv cves #1250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
roduran-dev wants to merge 5 commits into
base: master
Choose a base branch
from
Open

OSIDB-4929: Ignore withdrawn osv cves #1250

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
99480db
OSIDB-4929: Ignore withdrawn osv cves
roduran-dev Apr 23, 2026
66de1ae
Ignore empty details if they are withdrown.
roduran-dev Apr 24, 2026
b6eab80
Allow to ignore domain override.
roduran-dev Apr 29, 2026
feda63c
Fix test
roduran-dev Apr 29, 2026
35744ec
Ignore OSV from echohq withdrawns
roduran-dev Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions collectors/osv/collectors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,22 @@ class OSVCollectorException(Exception):
"""exception for OSV Collector"""


class OSVCollectorWithdrawnException(Exception):
"""exception for OSV Collector withdrawn vulnerability"""

osv_id = None
cve_ids = None
withdrawn = None

def __init__(self, osv_id, cve_ids, withdrawn):
self.osv_id = osv_id
self.cve_ids = cve_ids
self.withdrawn = withdrawn

def __str__(self):
return f"OSV vulnerability {self.osv_id} CVE_IDs: {self.cve_ids} withdrawn on {self.withdrawn}."


class OSVCollector(Collector):
# Snippet creation is disabled for now
snippet_creation_enabled = None
Expand Down Expand Up @@ -148,6 +164,9 @@ def collect(self, osv_id: Union[str, None] = None) -> str:
for osv_vuln in self.fetch_osv_vulns_for_ecosystem(ecosystem):
try:
osv_id, cve_ids, content = self.extract_content(osv_vuln)
except OSVCollectorWithdrawnException as exc:
logger.warning(str(exc))
continue
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /repo && find . -name "collectors.py" -path "*/osv/*" | head -5

Repository: RedHatProductSecurity/osidb

Length of output: 126

🏁 Script executed:

cd /repo && wc -l collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 126

🏁 Script executed:

cd /repo && sed -n '150,180p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 126

🏁 Script executed:

cd /repo && sed -n '280,310p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 126

🏁 Script executed:

cd /repo && sed -n '1,50p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 126

🏁 Script executed:

find . -name "collectors.py" -path "*/osv/*"

Repository: RedHatProductSecurity/osidb

Length of output: 101

🏁 Script executed:

wc -l collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 103

🏁 Script executed:

sed -n '150,180p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 1578

🏁 Script executed:

sed -n '280,310p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 1043

🏁 Script executed:

sed -n '33,50p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 593

🏁 Script executed:

grep -n "class OSVCollectorWithdrawnException" collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 122

🏁 Script executed:

grep -n "save_snippet_and_flaw" collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 271

🏁 Script executed:

sed -n '1,100p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 3828

🏁 Script executed:

sed -n '210,270p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 2925

🏁 Script executed:

grep -n "external_id" collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 275

🏁 Script executed:

grep -rn "external_id" collectors/ --include="*.py" | grep -i "osv" | head -20

Repository: RedHatProductSecurity/osidb

Length of output: 1036

🏁 Script executed:

grep -rn "withdrawn" . --include="*.py" | head -20

Repository: RedHatProductSecurity/osidb

Length of output: 795

🏁 Script executed:

grep -rn "withdrawn" collectors/osv/ --include="*.py"

Repository: RedHatProductSecurity/osidb

Length of output: 779

🏁 Script executed:

grep -rn "delete\|cleanup\|retire" collectors/osv/ --include="*.py" | head -20

Repository: RedHatProductSecurity/osidb

Length of output: 53

🏁 Script executed:

find . -name "*.md" -o -name "*.txt" -o -name "*.rst" | xargs grep -l "withdrawn\|cleanup" 2>/dev/null | head -10

Repository: RedHatProductSecurity/osidb

Length of output: 90

🏁 Script executed:

sed -n '140,200p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 3055

🏁 Script executed:

cat ./docs/CHANGELOG.md | grep -A 5 -B 5 "withdrawn"

Repository: RedHatProductSecurity/osidb

Length of output: 497

🏁 Script executed:

sed -n '150,160p' collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 650

🏁 Script executed:

rg "def.*collect" collectors/osv/collectors.py -A 3

Repository: RedHatProductSecurity/osidb

Length of output: 334

🏁 Script executed:

grep -rn "Snippet.objects" collectors/osv/collectors.py

Repository: RedHatProductSecurity/osidb

Length of output: 228

🏁 Script executed:

grep -rn "delete\|remove" osidb/models.py | grep -i "snippet\|flaw" | head -10

Repository: RedHatProductSecurity/osidb

Length of output: 119

🏁 Script executed:

grep -rn "update_or_create" collectors/osv/collectors.py -A 2 -B 2

Repository: RedHatProductSecurity/osidb

Length of output: 706

🏁 Script executed:

cat collectors/osv/tests/test_collectors.py | head -100

Repository: RedHatProductSecurity/osidb

Length of output: 3440

🏁 Script executed:

grep -rn "class Snippet" osidb/ --include="*.py" | head -5

Repository: RedHatProductSecurity/osidb

Length of output: 235

🏁 Script executed:

find . -path "*/osidb/models*" -name "*.py"

Repository: RedHatProductSecurity/osidb

Length of output: 937

🏁 Script executed:

fd "models" osidb/ --type f -name "*.py" | head -10

Repository: RedHatProductSecurity/osidb

Length of output: 301

🏁 Script executed:

sed -n '1,100p' osidb/models/snippet.py

Repository: RedHatProductSecurity/osidb

Length of output: 3572

🏁 Script executed:

grep -A 20 "class Snippet" osidb/models/snippet.py

Repository: RedHatProductSecurity/osidb

Length of output: 718

🏁 Script executed:

grep -rn "source.*OSV" collectors/osv/ --include="*.py" | head -10

Repository: RedHatProductSecurity/osidb

Length of output: 301

🏁 Script executed:

grep -rn "external_id" osidb/models/snippet.py

Repository: RedHatProductSecurity/osidb

Length of output: 796

🏁 Script executed:

grep -B 5 -A 10 "withdrawn" collectors/osv/collectors.py | tail -30

Repository: RedHatProductSecurity/osidb

Length of output: 1139

🏁 Script executed:

grep -rn "delete\|cascade" osidb/models/snippet.py

Repository: RedHatProductSecurity/osidb

Length of output: 160

Remove or retire OSV snippets when records become withdrawn upstream.

When an OSV record transitions from active to withdrawn, the current code skips processing the withdrawn record but does not reconcile previously ingested snippets and their linked flaws. This leaves stale vulnerability data in OSIDB that contradicts the upstream withdrawal status. Either delete/retire matching OSV snippets (and their flaws if not linked to other sources) on detection of withdrawal, or document the intentional decision to retain historical data.

Also applies to: 291-293

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@collectors/osv/collectors.py` around lines 167 - 169, The except block that
catches OSVCollectorWithdrawnException (currently logging via logger.warning and
continuing) should instead trigger reconciliation to remove or retire related
OSV snippets and any OSIDB Flaw records that are only linked to that OSV source;
update the handler in collectors.py where OSVCollectorWithdrawnException is
caught to call your existing snippet management functions (e.g., retire_snippet
or delete_snippet) and a new helper (e.g., reconcile_flaw_links) that checks
Flaw.linked_sources and deletes or marks Flaw as retired only if no other
sources remain; ensure the operation is idempotent and logged (replace the
logger.warning call with calls that perform the retire/delete and log the
actions).

Copy link
Copy Markdown
Contributor Author

@roduran-dev roduran-dev Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes it ignore withdrawn ONLY if they are from echohq and if the details field is an invalid state. Furthermore withdown was not being used until now.

except Exception as exc:
logger.error(
f"Failed to parse data from {osv_vuln['id']} vulnerability: {exc}"
Expand Down Expand Up @@ -269,6 +288,10 @@ def get_cve_ids_from_osv_vuln(osv_vuln: dict) -> list[str]:
cve_ids = get_cve_ids_from_osv_vuln(osv_vuln)
osv_id = osv_vuln["id"]

# ignore withdrawn vulnerabilities
if withdrawn := osv_vuln.get("withdrawn", ""):
raise OSVCollectorWithdrawnException(osv_id, cve_ids, withdrawn)

def get_refs(data: dict) -> list:
# https://ossf.github.io/osv-schema/#references-field
refs = [
Expand Down
3 changes: 3 additions & 0 deletions docs/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Affect(s) can be automatically created and assigned to Flaw(s) for
specific products (OSIDB-4878)

### Changed
- osv_collector now ignore withdrawn items.

## [5.9.0] - 2026-04-09
### Fixed
- Fix invalid `in` field in kerberos OpenAPI security scheme (OSIDB-1590)
Expand Down
Loading