fix: safeguard against attempting to (re)use partially loaded databases

G-Rath · G-Rath · commit 53a40b358c8f · 2025-09-23T06:56:40.000+12:00
diff --git a/internal/clients/clientimpl/localmatcher/localmatcher.go b/internal/clients/clientimpl/localmatcher/localmatcher.go
@@ -49,6 +49,15 @@ func NewLocalMatcher(localDBPath string, userAgent string, downloadDB bool) (*Lo
 func (matcher *LocalMatcher) MatchVulnerabilities(ctx context.Context, invs []*extractor.Package) ([][]*osvschema.Vulnerability, error) {
 	results := make([][]*osvschema.Vulnerability, 0, len(invs))
 
+	// ensure all databases loaded so far have been fully loaded; this is just a
+	// basic safeguard since we don't actually currently attempt to reuse matchers
+	// across scans, and its possible we never will, so we don't need to be smart
+	for _, db := range matcher.dbs {
+		if db.Partial {
+			return nil, errors.New("local matcher cannot be (re)used with a partially loaded database")
+		}
+	}
+
 	for _, inv := range invs {
 		if ctx.Err() != nil {
 			return nil, ctx.Err()
@@ -86,6 +95,8 @@ func (matcher *LocalMatcher) MatchVulnerabilities(ctx context.Context, invs []*e
 
 // LoadEcosystem tries to preload the ecosystem into the cache, and returns an error if the ecosystem
 // cannot be loaded.
+//
+// Preloaded databases include every advisory, so can be reused.
 func (matcher *LocalMatcher) LoadEcosystem(ctx context.Context, eco osvecosystem.Parsed) error {
 	_, err := matcher.loadDBFromCache(ctx, eco, nil)
 
diff --git a/internal/clients/clientimpl/localmatcher/zip.go b/internal/clients/clientimpl/localmatcher/zip.go
@@ -36,6 +36,10 @@ type ZipDB struct {
 	Vulnerabilities []osvschema.Vulnerability
 	// User agent to query with
 	UserAgent string
+
+	// whether this database only has some of the advisories
+	// loaded from the underlying zip file
+	Partial bool
 }
 
 var ErrOfflineDatabaseNotFound = errors.New("no offline version of the OSV database is available")
@@ -231,6 +235,9 @@ func NewZippedDB(ctx context.Context, dbBasePath, name, url, userAgent string, o
 		Offline:    offline,
 		StoredAt:   path.Join(dbBasePath, name, "all.zip"),
 		UserAgent:  userAgent,
+
+		// we only fully load the database if we're not provided a list of packages
+		Partial: len(invs) != 0,
 	}
 	names := make([]string, 0, len(invs))
 
diff --git a/internal/clients/clientimpl/localmatcher/zip_test.go b/internal/clients/clientimpl/localmatcher/zip_test.go
@@ -185,6 +185,9 @@ func TestNewZippedDB_Offline_WithCache(t *testing.T) {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
+	if db.Partial != false {
+		t.Errorf("db is incorrectly marked as partially loaded")
+	}
 	expectDBToHaveOSVs(t, db, osvs)
 }
 
@@ -245,6 +248,9 @@ func TestNewZippedDB_Online_WithoutCache(t *testing.T) {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
+	if db.Partial != false {
+		t.Errorf("db is incorrectly marked as partially loaded")
+	}
 	expectDBToHaveOSVs(t, db, osvs)
 }
 
@@ -277,6 +283,9 @@ func TestNewZippedDB_Online_WithoutCacheAndNoHashHeader(t *testing.T) {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
+	if db.Partial != false {
+		t.Errorf("db is incorrectly marked as partially loaded")
+	}
 	expectDBToHaveOSVs(t, db, osvs)
 }
 
@@ -315,6 +324,9 @@ func TestNewZippedDB_Online_WithSameCache(t *testing.T) {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
+	if db.Partial != false {
+		t.Errorf("db is incorrectly marked as partially loaded")
+	}
 	expectDBToHaveOSVs(t, db, osvs)
 }
 
@@ -353,6 +365,9 @@ func TestNewZippedDB_Online_WithDifferentCache(t *testing.T) {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
+	if db.Partial != false {
+		t.Errorf("db is incorrectly marked as partially loaded")
+	}
 	expectDBToHaveOSVs(t, db, osvs)
 }
 
@@ -411,6 +426,9 @@ func TestNewZippedDB_Online_WithBadCache(t *testing.T) {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
+	if db.Partial != false {
+		t.Errorf("db is incorrectly marked as partially loaded")
+	}
 	expectDBToHaveOSVs(t, db, osvs)
 }
 
@@ -437,6 +455,9 @@ func TestNewZippedDB_FileChecks(t *testing.T) {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
+	if db.Partial != false {
+		t.Errorf("db is incorrectly marked as partially loaded")
+	}
 	expectDBToHaveOSVs(t, db, osvs)
 }
 
@@ -497,6 +518,11 @@ func TestNewZippedDB_WithSpecificPackages(t *testing.T) {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
+	// we are loaded for specific packages
+	if db.Partial != true {
+		t.Errorf("db is incorrectly marked as fully loaded")
+	}
+
 	expectDBToHaveOSVs(t, db, []osvschema.Vulnerability{
 		{
 			ID: "GHSA-2",

Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,9 @@ func TestNewZippedDB_Offline_WithCache(t *testing.T) {`
`185`	`185`	`t.Fatalf("unexpected error \"%v\"", err)`
`186`	`186`	`}`
`187`	`187`
	`188`	`+ if db.Partial != false {`
	`189`	`+ t.Errorf("db is incorrectly marked as partially loaded")`
	`190`	`+ }`
`188`	`191`	`expectDBToHaveOSVs(t, db, osvs)`
`189`	`192`	`}`
`190`	`193`
`@@ -245,6 +248,9 @@ func TestNewZippedDB_Online_WithoutCache(t *testing.T) {`
`245`	`248`	`t.Fatalf("unexpected error \"%v\"", err)`
`246`	`249`	`}`
`247`	`250`
	`251`	`+ if db.Partial != false {`
	`252`	`+ t.Errorf("db is incorrectly marked as partially loaded")`
	`253`	`+ }`
`248`	`254`	`expectDBToHaveOSVs(t, db, osvs)`
`249`	`255`	`}`
`250`	`256`
`@@ -277,6 +283,9 @@ func TestNewZippedDB_Online_WithoutCacheAndNoHashHeader(t *testing.T) {`
`277`	`283`	`t.Fatalf("unexpected error \"%v\"", err)`
`278`	`284`	`}`
`279`	`285`
	`286`	`+ if db.Partial != false {`
	`287`	`+ t.Errorf("db is incorrectly marked as partially loaded")`
	`288`	`+ }`
`280`	`289`	`expectDBToHaveOSVs(t, db, osvs)`
`281`	`290`	`}`
`282`	`291`
`@@ -315,6 +324,9 @@ func TestNewZippedDB_Online_WithSameCache(t *testing.T) {`
`315`	`324`	`t.Fatalf("unexpected error \"%v\"", err)`
`316`	`325`	`}`
`317`	`326`
	`327`	`+ if db.Partial != false {`
	`328`	`+ t.Errorf("db is incorrectly marked as partially loaded")`
	`329`	`+ }`
`318`	`330`	`expectDBToHaveOSVs(t, db, osvs)`
`319`	`331`	`}`
`320`	`332`
`@@ -353,6 +365,9 @@ func TestNewZippedDB_Online_WithDifferentCache(t *testing.T) {`
`353`	`365`	`t.Fatalf("unexpected error \"%v\"", err)`
`354`	`366`	`}`
`355`	`367`
	`368`	`+ if db.Partial != false {`
	`369`	`+ t.Errorf("db is incorrectly marked as partially loaded")`
	`370`	`+ }`
`356`	`371`	`expectDBToHaveOSVs(t, db, osvs)`
`357`	`372`	`}`
`358`	`373`
`@@ -411,6 +426,9 @@ func TestNewZippedDB_Online_WithBadCache(t *testing.T) {`
`411`	`426`	`t.Fatalf("unexpected error \"%v\"", err)`
`412`	`427`	`}`
`413`	`428`
	`429`	`+ if db.Partial != false {`
	`430`	`+ t.Errorf("db is incorrectly marked as partially loaded")`
	`431`	`+ }`
`414`	`432`	`expectDBToHaveOSVs(t, db, osvs)`
`415`	`433`	`}`
`416`	`434`
`@@ -437,6 +455,9 @@ func TestNewZippedDB_FileChecks(t *testing.T) {`
`437`	`455`	`t.Fatalf("unexpected error \"%v\"", err)`
`438`	`456`	`}`
`439`	`457`
	`458`	`+ if db.Partial != false {`
	`459`	`+ t.Errorf("db is incorrectly marked as partially loaded")`
	`460`	`+ }`
`440`	`461`	`expectDBToHaveOSVs(t, db, osvs)`
`441`	`462`	`}`
`442`	`463`
`@@ -497,6 +518,11 @@ func TestNewZippedDB_WithSpecificPackages(t *testing.T) {`
`497`	`518`	`t.Fatalf("unexpected error \"%v\"", err)`
`498`	`519`	`}`
`499`	`520`
	`521`	`+ // we are loaded for specific packages`
	`522`	`+ if db.Partial != true {`
	`523`	`+ t.Errorf("db is incorrectly marked as fully loaded")`
	`524`	`+ }`
	`525`	`+`
`500`	`526`	`expectDBToHaveOSVs(t, db, []osvschema.Vulnerability{`
`501`	`527`	`{`
`502`	`528`	`ID: "GHSA-2",`