Skip to content

Filter out OSVDB and normalize URL references in Metasploit pipeline … #1993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Filter out OSVDB and normalize URL references in Metasploit pipeline … #1993

wants to merge 1 commit into from

Conversation

@sarafarajnasardi
Copy link

@sarafarajnasardi sarafarajnasardi commented Sep 1, 2025
edited by pombredanne
Loading

What does this PR do?

  • Skips OSVDB-prefixed references when processing Metasploit data
  • Strips "URL-" prefix from references and extracts commit links if present
  • Ensures commit links are stored in notes in a sorted order

Why is this needed?

Some references in Metasploit data include OSVDB identifiers and URL-prefixed strings,
which are inconsistent and can cause invalid aliases. This change normalizes references
and ensures proper commit link handling.

How was this tested?

  • Created a test file locally to simulate Metasploit data
  • Ran the pipeline using the modified code
  • Verified that:
    • OSVDB references are skipped
    • URL-prefixed references are normalized
    • Commit links appear correctly in notes under commit_links

Related issue

@sarafarajnasardi
Filter out OSVDB and normalize URL references in Metasploit pipeline a…
0145ef4 
…boutcode-org#1697

* Skip OSVDB-prefixed references when processing Metasploit data
* Strip "URL-" prefix from references and add commit links if present
* Ensure commit links are stored in notes in a sorted order
* Improves data consistency and avoids invalid aliases

Signed-off-by: Sarafaraj Nasardi <[email protected]>
pombredanne
pombredanne reviewed Oct 8, 2025
View reviewed changes
vulnerabilities/pipelines/enhance_with_metasploit.py
ref for ref in references if not ref.startswith("OSVDB") and not ref.startswith("URL-")
]
# Regex to allow short commit hashes (6–40 chars)
commit_pattern = re.compile(r"https://github\.com/.+/commit/[a-f0-9]{6,40}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make this function instead and this should not be github-specific.

pombredanne
pombredanne requested changes Oct 8, 2025
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, we need tests. Also please avoid AI-generated PR comments, they are annoying and bland.

vulnerabilities/pipelines/enhance_with_metasploit.py
},
)

return 1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we return 1 here? This is highly unsual

vulnerabilities/pipelines/enhance_with_metasploit.py
source_url = f"https://github.com/rapid7/metasploit-framework/tree/master{path}"
source_date_published = None

# Add unique commit links to notes
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this comment? The code below looks obvious

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pombredanne pombredanne pombredanne requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Incomplete reference collection in Metasploit ( missing affected/fixed commits )

2 participants

@sarafarajnasardi @pombredanne