Skip to content

fix: zlib #5441#5460

Merged
ffontaine merged 11 commits intoossf:mainfrom
EternalDreamer01:fix/zlib
Jan 5, 2026
Merged

fix: zlib #5441#5460
ffontaine merged 11 commits intoossf:mainfrom
EternalDreamer01:fix/zlib

Conversation

@EternalDreamer01
Copy link
Contributor

@EternalDreamer01 EternalDreamer01 commented Dec 15, 2025
edited
Loading

Zlib versions with a build number (4th element in version, like 1.3.0.1) was not managed.

Initially related to #5441

@ffontaine
Copy link
Collaborator

ffontaine commented Dec 16, 2025

Hi @warthog9, I think you're the maintainer of the mirror.
Do you know why the following 404 error is returned:

ClientResponseError: 404, message='Not Found', 
url='https://v4.mirror.cveb.in/nvd/json/cve/2.0/nvdcve-2.0-2013.json.gz'
Error: Process completed with exit code 1.

@warthog9
Copy link
Contributor

warthog9 commented Dec 16, 2025

re-ran the mirror and it popped in, if I had to guess some errant bit that caused an error somewhere. Not seeing anything in the logs so it might have been AWOL for a while. Double check it now.

@ffontaine
Copy link
Collaborator

ffontaine commented Dec 18, 2025

@EternalDreamer01, thanks for this PR, nice catch.

Can you add a Signed-off-by tag to all your commits (e.g. through commit -s)? This will fix "DCO" test.

Moreover, can you add zlib to other_products for varnish-7.7.3-ro.apk entry in test/test_data/varnish.py?
This will fix:

FAILED test/test_scanner.py::TestScanner::test_version_in_package[https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/-varnish-7.7.3-r0.apk-varnish_cache-7.7.3-other_products1303] - AssertionError: zlib found in varnish-7.7.3-r0.apk. If that's expected, make sure to add zlib to the expected list of other_products.
assert 'zlib' not in {'varnish_cache', 'zlib'}

EternalDreamer01 and others added 9 commits December 19, 2025 15:21
@EternalDreamer01
fix: zlib
5090c60 
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
@EternalDreamer01
chore: fix regex
b1ad5bc 
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
@ffontaine
fix: update allowed-endpoints (ossf#5461)
cd09bb9 
Add playwright.download.prss.microsoft.com and cdn.playwright.dev in
allowed-endpoints to fix the following failure when installing
playwright:

Downloading Chromium 143.0.7499.4 (playwright build v1200) from https://cdn.playwright.dev/dbazure/download/playwright/builds/chromium/1200/chromium-linux.zip
(node:3714) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
Error: connect ECONNREFUSED 54.185.253.63:443
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1637:16) {
  errno: -111,
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '54.185.253.63',
  port: 443
}

Also add v4.mirror.cveb.in:443 to fix the same kind of issue:

ClientConnectorError: Cannot connect to host v4.mirror.cveb.in:443 ssl:default
[Connect call failed ('54.185.253.63', 443)]

All those issues are probably raised because ubuntu-latest is used
instead of intel-ubuntu-latest since switch to ossf

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
@ffontaine
fix(nvd_source): fix configuration without nodes (ossf#5449)
821726c 
https://nvd.nist.gov/vuln/detail/cve-2025-40939 has the following
configurations: [{}]

This will result in a crash as current code wrongly assumes that all
configuration object has a nodes parameter

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
@ffontaine
fix: do not expect db to exist with --import-json (ossf#5438)
9cc275f 
Obviously, --import-json is mainly useful when db doesn't exist so drop
cvedb_orig.check_db_exists() from if statement

Moreover, do not exit after --import-json or --export-json to be
consistent with --import and --export

Finally, while at it, add --{im,ex}port-json to offline.md

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
chore: improved zlib regex
3dce149 
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
chore: improved zlib regex
031a414 
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
fix: zlib in varnish 7.7
bd2a30c 
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
chore: clean
b2f5c39 
Signed-off-by: Dimitri Simon <dimitri.simon@telecom-sudparis.eu>
@ffontaine
Copy link
Collaborator

ffontaine commented Jan 5, 2026

All tests passed, merging

@ffontaine ffontaine merged commit 2253dff into ossf:main Jan 5, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@EternalDreamer01 @ffontaine @warthog9