From 1a817ce4844f7aa9e7eeb7a417d6cff84f4a6baa Mon Sep 17 00:00:00 2001
From: michaelkedar <michaelkedar@google.com>
Date: Thu, 14 May 2026 05:50:55 +0000
Subject: [PATCH] fix(go worker): populate AffectedVersions for GIT versions

---
 .../database/datastore/affected_versions.go   | 25 +++---
 .../datastore/affected_versions_test.go       | 81 +++++++++++++++++++
 2 files changed, 93 insertions(+), 13 deletions(-)

diff --git a/go/internal/database/datastore/affected_versions.go b/go/internal/database/datastore/affected_versions.go
index 9c90eb75ae2..2191b0f62f5 100644
--- a/go/internal/database/datastore/affected_versions.go
+++ b/go/internal/database/datastore/affected_versions.go
@@ -36,22 +36,21 @@ func computeAffectedVersions(vuln *osvschema.Vulnerability) []AffectedVersions {
 	var res []AffectedVersions
 
 	for _, affected := range vuln.GetAffected() {
+		var allPkgEcosystems []string
 		pkgEcosystem := affected.GetPackage().GetEcosystem()
-		if pkgEcosystem == "" {
-			continue
-		}
+		if pkgEcosystem != "" {
+			allPkgEcosystems = []string{pkgEcosystem}
+			normalized, _, _ := strings.Cut(pkgEcosystem, ":")
+			if normalized != pkgEcosystem {
+				allPkgEcosystems = append(allPkgEcosystems, normalized)
+			}
+			if v := removeVariants(pkgEcosystem); v != "" {
+				allPkgEcosystems = append(allPkgEcosystems, v)
+			}
 
-		allPkgEcosystems := []string{pkgEcosystem}
-		normalized, _, _ := strings.Cut(pkgEcosystem, ":")
-		if normalized != pkgEcosystem {
-			allPkgEcosystems = append(allPkgEcosystems, normalized)
+			slices.Sort(allPkgEcosystems)
+			allPkgEcosystems = slices.Compact(allPkgEcosystems)
 		}
-		if v := removeVariants(pkgEcosystem); v != "" {
-			allPkgEcosystems = append(allPkgEcosystems, v)
-		}
-
-		slices.Sort(allPkgEcosystems)
-		allPkgEcosystems = slices.Compact(allPkgEcosystems)
 
 		pkgName := affected.GetPackage().GetName()
 		eHelper, exists := ecosystem.DefaultProvider.Get(pkgEcosystem)
diff --git a/go/internal/database/datastore/affected_versions_test.go b/go/internal/database/datastore/affected_versions_test.go
index 01eb6e8230d..abc478e8bc8 100644
--- a/go/internal/database/datastore/affected_versions_test.go
+++ b/go/internal/database/datastore/affected_versions_test.go
@@ -191,3 +191,84 @@ func TestNormalizeRepo(t *testing.T) {
 		})
 	}
 }
+
+func TestComputeAffectedVersions_GitWithoutPackage(t *testing.T) {
+	vuln := &osvschema.Vulnerability{
+		Id: "CVE-2024-7264",
+		Affected: []*osvschema.Affected{
+			{
+				// Package intentionally omitted
+				Versions: []string{"curl-8_5_0", "curl-8_6_0"},
+				Ranges: []*osvschema.Range{
+					{
+						Type: osvschema.Range_GIT,
+						Repo: "https://github.com/curl/curl",
+						Events: []*osvschema.Event{
+							{Introduced: "0"},
+							{Fixed: "27959ecce75cdb2809c0bdb3286e60e08fadb519"},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	got := computeAffectedVersions(vuln)
+
+	want := []AffectedVersions{
+		{
+			VulnID:    "CVE-2024-7264",
+			Ecosystem: "GIT",
+			Name:      "github.com/curl/curl",
+			Versions:  []string{"curl-8_5_0", "curl-8_6_0"},
+		},
+	}
+
+	if diff := gocmp.Diff(want, got, cmpopts.EquateEmpty()); diff != "" {
+		t.Errorf("computeAffectedVersions mismatch (-want +got):\n%s", diff)
+	}
+}
+
+func TestComputeAffectedVersions_GitAndSemverWithoutPackage(t *testing.T) {
+	vuln := &osvschema.Vulnerability{
+		Id: "CVE-2024-7264-SEMVER",
+		Affected: []*osvschema.Affected{
+			{
+				// Package intentionally omitted
+				Versions: []string{"curl-8_5_0"},
+				Ranges: []*osvschema.Range{
+					{
+						Type: osvschema.Range_GIT,
+						Repo: "https://github.com/curl/curl",
+						Events: []*osvschema.Event{
+							{Introduced: "0"},
+							{Fixed: "27959ecce75cdb2809c0bdb3286e60e08fadb519"},
+						},
+					},
+					{
+						Type: osvschema.Range_SEMVER,
+						Events: []*osvschema.Event{
+							{Introduced: "0"},
+							{Fixed: "8.6.0"},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	got := computeAffectedVersions(vuln)
+
+	want := []AffectedVersions{
+		{
+			VulnID:    "CVE-2024-7264-SEMVER",
+			Ecosystem: "GIT",
+			Name:      "github.com/curl/curl",
+			Versions:  []string{"curl-8_5_0"},
+		},
+	}
+
+	if diff := gocmp.Diff(want, got, cmpopts.EquateEmpty()); diff != "" {
+		t.Errorf("computeAffectedVersions mismatch (-want +got):\n%s", diff)
+	}
+}