tests fixes and sprints work

2026-01-22 19:08:46 +02:00
parent c32fff8f86
commit 726d70dc7f
881 changed files with 134434 additions and 6228 deletions
--- a/datasets/golden-corpus/seed/debian/curl/DSA-5587-1/metadata/advisory.json
+++ b/datasets/golden-corpus/seed/debian/curl/DSA-5587-1/metadata/advisory.json
@@ -0,0 +1,38 @@
+{
+  "advisoryId": "DSA-5587-1",
+  "source": "debian-security-tracker",
+  "package": "curl",
+  "cves": ["CVE-2023-46218", "CVE-2023-46219"],
+  "severity": "medium",
+  "description": "Multiple vulnerabilities in curl including cookie injection and HSTS bypass.",
+  "vulnerableVersions": ["7.88.1-10+deb12u4"],
+  "fixedVersions": ["7.88.1-10+deb12u5"],
+  "references": {
+    "dsa": "https://www.debian.org/security/2023/dsa-5587",
+    "cveDetails": [
+      "https://security-tracker.debian.org/tracker/CVE-2023-46218",
+      "https://security-tracker.debian.org/tracker/CVE-2023-46219"
+    ],
+    "snapshotPre": "https://snapshot.debian.org/package/curl/7.88.1-10%2Bdeb12u4/",
+    "snapshotPost": "https://snapshot.debian.org/package/curl/7.88.1-10%2Bdeb12u5/"
+  },
+  "license": {
+    "spdx": "curl",
+    "permissive": true,
+    "redistributionAllowed": true
+  },
+  "artifacts": {
+    "pre": {
+      "binary": "curl_7.88.1-10+deb12u4_amd64.deb",
+      "debug": "curl-dbgsym_7.88.1-10+deb12u4_amd64.deb",
+      "source": "curl_7.88.1-10+deb12u4.dsc"
+    },
+    "post": {
+      "binary": "curl_7.88.1-10+deb12u5_amd64.deb",
+      "debug": "curl-dbgsym_7.88.1-10+deb12u5_amd64.deb",
+      "source": "curl_7.88.1-10+deb12u5.dsc"
+    }
+  },
+  "verificationStatus": "verified",
+  "addedAt": "2026-01-21T00:00:00Z"
+}
--- a/datasets/golden-corpus/seed/debian/expat/DSA-5085-1/metadata/advisory.json
+++ b/datasets/golden-corpus/seed/debian/expat/DSA-5085-1/metadata/advisory.json
@@ -0,0 +1,42 @@
+{
+  "advisoryId": "DSA-5085-1",
+  "source": "debian-security-tracker",
+  "package": "expat",
+  "cves": ["CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315"],
+  "severity": "critical",
+  "description": "Multiple vulnerabilities in libexpat XML parser including integer overflow, stack exhaustion, and use-after-free.",
+  "vulnerableVersions": ["2.4.1-3"],
+  "fixedVersions": ["2.4.1-3+deb11u1"],
+  "references": {
+    "dsa": "https://www.debian.org/security/2022/dsa-5085",
+    "cveDetails": [
+      "https://security-tracker.debian.org/tracker/CVE-2022-25235",
+      "https://security-tracker.debian.org/tracker/CVE-2022-25236",
+      "https://security-tracker.debian.org/tracker/CVE-2022-25313",
+      "https://security-tracker.debian.org/tracker/CVE-2022-25314",
+      "https://security-tracker.debian.org/tracker/CVE-2022-25315"
+    ],
+    "snapshotPre": "https://snapshot.debian.org/package/expat/2.4.1-3/",
+    "snapshotPost": "https://snapshot.debian.org/package/expat/2.4.1-3%2Bdeb11u1/"
+  },
+  "license": {
+    "spdx": "MIT",
+    "permissive": true,
+    "redistributionAllowed": true
+  },
+  "artifacts": {
+    "pre": {
+      "binary": "libexpat1_2.4.1-3_amd64.deb",
+      "debug": "libexpat1-dbgsym_2.4.1-3_amd64.deb",
+      "source": "expat_2.4.1-3.dsc"
+    },
+    "post": {
+      "binary": "libexpat1_2.4.1-3+deb11u1_amd64.deb",
+      "debug": "libexpat1-dbgsym_2.4.1-3+deb11u1_amd64.deb",
+      "source": "expat_2.4.1-3+deb11u1.dsc"
+    }
+  },
+  "verificationStatus": "verified",
+  "addedAt": "2026-01-21T00:00:00Z",
+  "notes": "Good multi-function test case - 5 CVEs in single advisory"
+}
--- a/datasets/golden-corpus/seed/debian/zlib/DSA-5218-1/metadata/advisory.json
+++ b/datasets/golden-corpus/seed/debian/zlib/DSA-5218-1/metadata/advisory.json
@@ -0,0 +1,35 @@
+{
+  "advisoryId": "DSA-5218-1",
+  "source": "debian-security-tracker",
+  "package": "zlib1g",
+  "cves": ["CVE-2022-37434"],
+  "severity": "high",
+  "description": "Evgeny Legerov reported a heap-based buffer over-read in zlib that can occur during the inflate process.",
+  "vulnerableVersions": ["1:1.2.11.dfsg-2+deb11u1"],
+  "fixedVersions": ["1:1.2.11.dfsg-2+deb11u2"],
+  "references": {
+    "dsa": "https://www.debian.org/security/2022/dsa-5218",
+    "cveDetails": "https://security-tracker.debian.org/tracker/CVE-2022-37434",
+    "snapshotPre": "https://snapshot.debian.org/package/zlib/1%3A1.2.11.dfsg-2%2Bdeb11u1/",
+    "snapshotPost": "https://snapshot.debian.org/package/zlib/1%3A1.2.11.dfsg-2%2Bdeb11u2/"
+  },
+  "license": {
+    "spdx": "Zlib",
+    "permissive": true,
+    "redistributionAllowed": true
+  },
+  "artifacts": {
+    "pre": {
+      "binary": "zlib1g_1.2.11.dfsg-2+deb11u1_amd64.deb",
+      "debug": "zlib1g-dbgsym_1.2.11.dfsg-2+deb11u1_amd64.deb",
+      "source": "zlib_1.2.11.dfsg-2+deb11u1.dsc"
+    },
+    "post": {
+      "binary": "zlib1g_1.2.11.dfsg-2+deb11u2_amd64.deb",
+      "debug": "zlib1g-dbgsym_1.2.11.dfsg-2+deb11u2_amd64.deb",
+      "source": "zlib_1.2.11.dfsg-2+deb11u2.dsc"
+    }
+  },
+  "verificationStatus": "verified",
+  "addedAt": "2026-01-21T00:00:00Z"
+}
--- a/datasets/golden-corpus/seed/manifest.json
+++ b/datasets/golden-corpus/seed/manifest.json
@@ -0,0 +1,144 @@
+{
+  "manifestVersion": "1.0.0",
+  "corpusId": "golden-corpus-seed-v1",
+  "createdAt": "2026-01-21T00:00:00Z",
+  "description": "Golden corpus seed list for patch-paired artifact validation",
+  "selectionCriteria": {
+    "primaryAdvisory": true,
+    "patchPairedAvailable": true,
+    "permissiveLicense": true,
+    "reproducibleBuild": "preferred"
+  },
+  "targets": [
+    {
+      "id": "debian-zlib-DSA-5218-1",
+      "package": "zlib1g",
+      "distro": "debian",
+      "advisory": "DSA-5218-1",
+      "cves": ["CVE-2022-37434"],
+      "vulnerableVersion": "1:1.2.11.dfsg-2+deb11u1",
+      "fixedVersion": "1:1.2.11.dfsg-2+deb11u2",
+      "license": "zlib",
+      "licenseVerified": true,
+      "status": "verified"
+    },
+    {
+      "id": "debian-curl-DSA-5587-1",
+      "package": "curl",
+      "distro": "debian",
+      "advisory": "DSA-5587-1",
+      "cves": ["CVE-2023-46218", "CVE-2023-46219"],
+      "vulnerableVersion": "7.88.1-10+deb12u4",
+      "fixedVersion": "7.88.1-10+deb12u5",
+      "license": "curl",
+      "licenseVerified": true,
+      "status": "verified"
+    },
+    {
+      "id": "debian-libxml2-DSA-5391-1",
+      "package": "libxml2",
+      "distro": "debian",
+      "advisory": "DSA-5391-1",
+      "cves": ["CVE-2023-28484", "CVE-2023-29469"],
+      "vulnerableVersion": "2.9.14+dfsg-1.2",
+      "fixedVersion": "2.9.14+dfsg-1.3~deb12u1",
+      "license": "MIT",
+      "licenseVerified": true,
+      "status": "verified"
+    },
+    {
+      "id": "debian-openssl-DSA-5532-1",
+      "package": "openssl",
+      "distro": "debian",
+      "advisory": "DSA-5532-1",
+      "cves": ["CVE-2023-5363"],
+      "vulnerableVersion": "3.0.11-1~deb12u1",
+      "fixedVersion": "3.0.11-1~deb12u2",
+      "license": "Apache-2.0",
+      "licenseVerified": true,
+      "status": "verified"
+    },
+    {
+      "id": "debian-sqlite3-DSA-5466-1",
+      "package": "sqlite3",
+      "distro": "debian",
+      "advisory": "DSA-5466-1",
+      "cves": ["CVE-2023-7104"],
+      "vulnerableVersion": "3.40.1-1",
+      "fixedVersion": "3.40.1-2",
+      "license": "Public Domain",
+      "licenseVerified": true,
+      "status": "verified"
+    },
+    {
+      "id": "debian-expat-DSA-5085-1",
+      "package": "expat",
+      "distro": "debian",
+      "advisory": "DSA-5085-1",
+      "cves": ["CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315"],
+      "vulnerableVersion": "2.4.1-3",
+      "fixedVersion": "2.4.1-3+deb11u1",
+      "license": "MIT",
+      "licenseVerified": true,
+      "status": "verified"
+    },
+    {
+      "id": "debian-tiff-DSA-5361-1",
+      "package": "tiff",
+      "distro": "debian",
+      "advisory": "DSA-5361-1",
+      "cves": ["CVE-2022-48281"],
+      "vulnerableVersion": "4.5.0-5",
+      "fixedVersion": "4.5.0-6",
+      "license": "libtiff",
+      "licenseVerified": true,
+      "status": "verified"
+    },
+    {
+      "id": "debian-libpng1.6-DSA-5607-1",
+      "package": "libpng1.6",
+      "distro": "debian",
+      "advisory": "DSA-5607-1",
+      "cves": ["CVE-2024-25062"],
+      "vulnerableVersion": "1.6.39-2",
+      "fixedVersion": "1.6.39-2+deb12u1",
+      "license": "libpng",
+      "licenseVerified": true,
+      "status": "pending-verification"
+    },
+    {
+      "id": "alpine-busybox-CVE-2022-28391",
+      "package": "busybox",
+      "distro": "alpine",
+      "advisory": "secdb main/busybox",
+      "cves": ["CVE-2022-28391"],
+      "vulnerableVersion": "1.35.0-r13",
+      "fixedVersion": "1.35.0-r14",
+      "license": "GPL-2.0",
+      "licenseVerified": false,
+      "status": "license-review-required",
+      "notes": "GPL license requires separate handling for redistribution"
+    },
+    {
+      "id": "alpine-apk-tools-CVE-2021-36159",
+      "package": "apk-tools",
+      "distro": "alpine",
+      "advisory": "secdb main/apk-tools",
+      "cves": ["CVE-2021-36159"],
+      "vulnerableVersion": "2.12.6-r0",
+      "fixedVersion": "2.12.7-r0",
+      "license": "GPL-2.0",
+      "licenseVerified": false,
+      "status": "license-review-required",
+      "notes": "GPL license requires separate handling for redistribution"
+    }
+  ],
+  "statistics": {
+    "totalTargets": 10,
+    "debianTargets": 8,
+    "alpineTargets": 2,
+    "verifiedLicenses": 7,
+    "pendingLicenseReview": 2,
+    "totalCves": 15
+  }
+}