Skip to content

feat(ghsa): use nuget advisories in lower case #571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DmitriyLewen merged 3 commits into from
Sep 12, 2025
Merged

feat(ghsa): use nuget advisories in lower case #571

DmitriyLewen merged 3 commits into from
Sep 12, 2025

Conversation

@DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Sep 9, 2025

Description

This PR implements case-insensitive storage for NuGet packages in the vulnerability database while maintaining backward compatibility. The changes include:

  • NuGet Package Normalization: Modified NormalizePkgName in pkg/vulnsrc/vulnerability/vulnerability.go:261 to convert NuGet package names to lowercase, making them case-insensitive as per NuGet specification
  • Duplicate Advisory Storage: Enhanced TransformAdvisories in pkg/vulnsrc/ghsa/ghsa.go:143 to store both lowercase and original-case versions of NuGet advisories for backward compatibility
  • Comprehensive Test Coverage: Added test case in pkg/vulnsrc/ghsa/ghsa_test.go:446 with example NuGet advisory data to verify the dual storage functionality

The implementation stores duplicate entries during a transition period - one with the normalized (lowercase) package name and another with the original case to ensure existing downstream consumers continue to work.

Reasons for Change

  1. NuGet Case-Insensitivity Compliance: NuGet package names are case-insensitive by design, but the current implementation was storing them with their original case, leading to potential inconsistencies and missed vulnerability matches
  2. Backward Compatibility Requirements: Existing downstream tools and integrations may rely on the original case format, so we need to maintain both versions during a migration period
  3. Standardization: This change aligns the vulnerability database with NuGet's official case-insensitive behavior, improving accuracy and consistency of vulnerability detection
  4. Future Migration Path: The TODO comment indicates this is a transitional approach, with plans to eventually remove the original-case entries once downstream consumers migrate to the lowercase format

DB changes

buckets:

  • before:
    изображение
  • after:
    изображение

sizes:

  • before: 
     ➜  du -sh ./assets-original/trivy.db 
 715M    ./assets-original/trivy.db
  • after: 
     ➜  du -sh ./assets/trivy.db
 716M    ./assets/trivy.db

@DmitriyLewen
feat(ghsa): store NuGet advisories with lowercase package name
bae2b04 
- save duplicate nuget advisories with package name in lower case
- update tests
@DmitriyLewen
refactor: save nuget packages in lower case
d3de2ee 
- NormalizePkgName saves nuget packages in lower case
- update TransformAdvisories logic (detect origin pkg name and save this duplicate)
@DmitriyLewen DmitriyLewen changed the title Feat/nuget/add duplicate advs in lower case feat(ghsa): use nuget advisories in lower case Sep 9, 2025
@DmitriyLewen DmitriyLewen mentioned this pull request Sep 9, 2025
Merged
7 tasks
@DmitriyLewen DmitriyLewen marked this pull request as ready for review September 9, 2025 13:57
knqyf263
knqyf263 approved these changes Sep 12, 2025
View reviewed changes
pkg/vulnsrc/ghsa/ghsa.go Outdated
// NuGet is case-insensitive, so we store advisories in lowercase.
// However, for backward compatibility, we also keep advisories with the original package name.
// TODO: drop storing the original-case entry and keep only the lowercase key once downstream users have migrated.
if adv.Ecosystem == vulnerability.NuGet {
Copy link
Collaborator

@knqyf263 knqyf263 Sep 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: We may want to use switch here.

switch adv.Ecosystem { 
  case vulnerability.Swift:
  case vulnerability.Go:
  case vulnerability.NuGet:

}

Copy link
Contributor Author

@DmitriyLewen DmitriyLewen Sep 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sense. Updated in 5bc3cdf

@DmitriyLewen DmitriyLewen added this pull request to the merge queue Sep 12, 2025
Merged via the queue into aquasecurity:main with commit 990a652 Sep 12, 2025
2 checks passed
@DmitriyLewen DmitriyLewen deleted the feat/nuget/add-duplicate-advs-in-lower-case branch September 12, 2025 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DmitriyLewen @knqyf263