[osv] Improve vers precision for smaller version list (#230)

* For osv data with a smaller version list, track them separately to improve precision

Signed-off-by: Prabhu Subramanian <[email protected]>

* CI test issues on mac

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

.github/workflows/pythonapp.yml

@@ -9,19 +9,19 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest, macos-14]
+        os: [ubuntu-latest, windows-latest, macos-15]
         python-version: ['3.10', '3.11', '3.12', '3.13']
       fail-fast: false
     steps:
     - uses: actions/checkout@v4
-    - name: Install uv
-      uses: astral-sh/setup-uv@v5
-      with:
-        python-version: ${{ matrix.python-version }}
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
+    - name: Install uv
+      uses: astral-sh/setup-uv@v5
+      with:
+        python-version: ${{ matrix.python-version }}
     - name: Display Python version
       run: python -c "import sys; print(sys.version)"
     - name: Use Node.js
@@ -35,7 +35,6 @@ jobs:
         java-version: '24'
     - name: Install dependencies
       run: |
-        python -m pip install --upgrade pip
         uv sync --all-extras --dev
     - name: Lint with flake8
       run: |
@@ -46,6 +45,7 @@ jobs:
       env:
         PYTHONPATH: .
         TEST_VDB_HOME: vdb_data
+        VDB_TEMP_DIR: ${{ runner.temp }}/vdb-temp
     - name: Generate SBOM with cdxgen
       run: |
         npm install -g @cyclonedx/cdxgen
@@ -54,11 +54,16 @@ jobs:
         uv run vdb --cache --only-osv
         uv run vdb --bom bom.json
       if: ${{ matrix.python-version == '3.13' && matrix.os == 'ubuntu-latest' }}
+      env:
+        VDB_TEMP_DIR: ${{ runner.temp }}/vdb-temp
     - name: CLI tests
       run: |
         uv run vdb --search "pkg:maven/org.springframework/[email protected]"
         uv run vdb --search "pkg:maven/org.hibernate.orm/[email protected]"
         uv run vdb --search "pkg:nuget/[email protected]"
         uv run vdb --search "pkg:nuget/[email protected]"
         uv run vdb --search "pkg:nuget/[email protected]"
+        uv run vdb --search "pkg:npm/[email protected]"
+        uv run vdb --search "pkg:npm/[email protected]"
+        uv run vdb --search "pkg:npm/[email protected]"
       if: ${{ matrix.python-version == '3.13' && matrix.os == 'ubuntu-latest' }}

.github/workflows/pythonpublish.yml

@@ -20,12 +20,12 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v4
-      - name: Install uv
-        uses: astral-sh/setup-uv@v5
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: '3.12'
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
@@ -67,12 +67,12 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v4
-      - name: Install uv
-        uses: astral-sh/setup-uv@v5
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: '3.12'
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
       - name: Install dependencies
         run: |
           cd packages/mcp-server-vdb

packages/mcp-server-vdb/src/mcp_server_vdb/server.py

@@ -385,7 +385,7 @@ async def handle_call_tool(
             write_stream,
             InitializationOptions(
                 server_name="appthreat-vulnerability-db",
-                server_version="6.4.3",
+                server_version="6.4.4",
                 capabilities=server.get_capabilities(
                     notification_options=NotificationOptions(),
                     experimental_capabilities={},

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "6.4.3"
+version = "6.4.4"
 description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "[email protected]"},

test/data/MAL-2025-6022.json

@@ -0,0 +1,40 @@
+{
+  "modified": "2025-07-21T06:24:05Z",
+  "published": "2025-07-21T06:24:05Z",
+  "schema_version": "1.5.0",
+  "id": "MAL-2025-6022",
+  "summary": "Malicious code in eslint-config-prettier (npm)",
+  "details": "This package installs a windows based malware file node-gyp.dll via install.js",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "eslint-config-prettier"
+      },
+      "versions": [
+        "8.10.1",
+        "9.1.1",
+        "10.1.6",
+        "10.1.7"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/"
+    }
+  ],
+  "credits": [
+    {
+      "name": "GitHax - Software Supply Chain Threat Intelligence",
+      "type": "FINDER",
+      "contact": [
+        "https://githax.com"
+      ]
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": null
+  }
+}

test/test_source.py

@@ -289,6 +289,15 @@ def test_osv_mal2_json():
         return json.loads(fp.read())
 
 
+@pytest.fixture
+def test_osv_mal3_json():
+    test_cve_data = os.path.join(
+        os.path.dirname(os.path.realpath(__file__)), "data", "MAL-2025-6022.json"
+    )
+    with open(test_cve_data, mode="r", encoding="utf-8") as fp:
+        return json.loads(fp.read())
+
+
 @pytest.fixture
 def test_osv_mvn_single_json():
     test_cve_data = os.path.join(
@@ -1112,10 +1121,12 @@ def test_osv_convert4(test_osv_maven_cvss4_json):
     assert len(cve_data) == 6
 
 
-def test_osv_mal_convert(test_osv_mal_json, test_osv_mal2_json):
+def test_osv_mal_convert(test_osv_mal_json, test_osv_mal2_json, test_osv_mal3_json):
     osvlatest = OSVSource()
+    cve_data = osvlatest.convert(test_osv_mal3_json)
+    assert len(cve_data) == 4
     cve_data = osvlatest.convert(test_osv_mal2_json)
-    assert len(cve_data) == 1
+    assert len(cve_data) == 2
     cve_data = osvlatest.convert(test_osv_mal_json)
     assert len(cve_data) == 1