├── tools
    ├── __init__.py
    ├── redhat
    │   ├── __init__.py
    │   ├── redhat_osv
    │   │   ├── __init__.py
    │   │   ├── convert_redhat_test.py
    │   │   ├── osv_test.py
    │   │   └── csaf_test.py
    │   ├── .gitignore
    │   ├── .style.yapf
    │   ├── .pylintrc
    │   ├── Pipfile
    │   ├── setup.py
    │   ├── convert_redhat.py
    │   ├── README.md
    │   └── testdata
    │   │   └── OSV
    │   │       └── RHSA-2024_4546.json
    ├── debian
    │   ├── .style.yapf
    │   ├── Pipfile
    │   ├── README.md
    │   └── first_package_finder.py
    ├── ghsa
    │   ├── .style.yapf
    │   ├── .pylintrc
    │   ├── Pipfile
    │   ├── README.md
    │   ├── testdata
    │   │   ├── greater_than_equals_no_patch.json
    │   │   ├── greater_than_equals_no_patch.osv.json
    │   │   ├── equals_no_patch.osv.json
    │   │   ├── multiple_ranges_in_package.osv.json
    │   │   ├── equals_no_patch.json
    │   │   ├── less_than_equals_no_patch.osv.json
    │   │   ├── multiple_ranges_in_package.json
    │   │   ├── less_than_equals_no_patch.json
    │   │   ├── withdrawn.osv.json
    │   │   ├── npm_greater_than.osv.json
    │   │   ├── npm_greater_than.json
    │   │   ├── less_than_equals_with_patch.json
    │   │   ├── less_than_equals_with_patch.osv.json
    │   │   ├── withdrawn.json
    │   │   ├── equals_with_patch.osv.json
    │   │   ├── equals_with_patch.json
    │   │   ├── maven_greater_than.osv.json
    │   │   ├── full_ranges.json
    │   │   ├── maven_greater_than.json
    │   │   ├── pypi_normalize.json
    │   │   ├── pypi_normalize.osv.json
    │   │   └── full_ranges.osv.json
    │   ├── convert_ghsa_test.py
    │   └── dump_ghsa.py
    └── osv-linter
    │   ├── internal
    │       ├── checks
    │       │   ├── schema_test.go
    │       │   ├── ranges_test.go
    │       │   ├── schema.go
    │       │   ├── packages_test.go
    │       │   ├── ranges.go
    │       │   ├── checks.go
    │       │   ├── record.go
    │       │   └── packages.go
    │       ├── faulttolerant
    │       │   └── http.go
    │       └── pkgchecker
    │       │   ├── packagist.go
    │       │   ├── package_check.go
    │       │   └── ecosystems.go
    │   ├── go.mod
    │   ├── testdata
    │       ├── GO-2020-0001.json
    │       ├── nopackage-GHSA-9v2f-6vcg-3hgv.json
    │       ├── GHSA-9v2f-6vcg-3hgv.json
    │       ├── MAL-2024-10238.json
    │       ├── GO-2024-2963.json
    │       ├── nointroduced-CVE-2023-41045.json
    │       ├── CVE-2023-41045.json
    │       ├── PYSEC-2023-74.json
    │       └── RHSA-2022_0216.json
    │   ├── cmd
    │       └── osv
    │       │   └── main.go
    │   ├── go.sum
    │   └── README.md
├── docs
    ├── _data
    │   ├── authors.yml
    │   ├── navigation.yml
    │   ├── licenses.yml
    │   ├── variables.yml
    │   └── locale.yml
    ├── schema.json
    ├── .bundle
    │   └── config
    ├── .gitignore
    ├── images
    │   └── git_graph.png
    ├── Gemfile
    └── _config.yml
├── .bundle
    └── config
├── schema.md
├── .gitignore
├── bindings
    ├── go
    │   ├── go.mod
    │   ├── go.sum
    │   └── osvconstants
    │   │   └── constants.go
    └── build.sh
├── .editorconfig
├── validation
    └── README.md
├── RELEASING.md
├── .github
    └── workflows
    │   ├── ospsSecurityAssesssment.yml
    │   └── checks.yml
├── security-insights.yml
├── scripts
    ├── validate-schema-table.py
    └── update-ecosystems-lists.py
├── CONTRIBUTING.md
├── CHANGELOG.md
├── CODE_OF_CONDUCT.md
├── GUIDING_PRINCIPLES.md
└── README.md


/tools/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/docs/_data/authors.yml:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/tools/redhat/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/tools/redhat/redhat_osv/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/docs/_data/navigation.yml:
--------------------------------------------------------------------------------
1 | header: []
2 | 


--------------------------------------------------------------------------------
/docs/schema.json:
--------------------------------------------------------------------------------
1 | ../validation/schema.json


--------------------------------------------------------------------------------
/.bundle/config:
--------------------------------------------------------------------------------
1 | ---
2 | BUNDLE_PATH: "vendor/bundle"
3 | 


--------------------------------------------------------------------------------
/docs/.bundle/config:
--------------------------------------------------------------------------------
1 | ---
2 | BUNDLE_PATH: "vendor/bundle"
3 | 


--------------------------------------------------------------------------------
/schema.md:
--------------------------------------------------------------------------------
1 | Moved to <https://ossf.github.io/osv-schema>.
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | go.work
2 | go.work.sum
3 | .vscode/settings.json
4 | 


--------------------------------------------------------------------------------
/tools/redhat/.gitignore:
--------------------------------------------------------------------------------
1 | redhat_osv.egg-info/
2 | __pycache__/
3 | 


--------------------------------------------------------------------------------
/docs/.gitignore:
--------------------------------------------------------------------------------
1 | _site
2 | .sass-cache
3 | .jekyll-cache
4 | .jekyll-metadata
5 | vendor
6 | 


--------------------------------------------------------------------------------
/docs/images/git_graph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ossf/osv-schema/HEAD/docs/images/git_graph.png


--------------------------------------------------------------------------------
/bindings/go/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/ossf/osv-schema/bindings/go
2 | 
3 | go 1.24.4
4 | 
5 | require google.golang.org/protobuf v1.36.10
6 | 


--------------------------------------------------------------------------------
/tools/debian/.style.yapf:
--------------------------------------------------------------------------------
1 | [style]
2 | based_on_style = yapf
3 | column_limit = 80
4 | indent_width = 2
5 | split_before_named_assigns = true
6 | 


--------------------------------------------------------------------------------
/tools/ghsa/.style.yapf:
--------------------------------------------------------------------------------
1 | [style]
2 | based_on_style = pep8
3 | column_limit = 80
4 | indent_width = 4
5 | split_before_named_assigns = true
6 | 


--------------------------------------------------------------------------------
/tools/redhat/.style.yapf:
--------------------------------------------------------------------------------
1 | [style]
2 | based_on_style = pep8
3 | column_limit = 80
4 | indent_width = 4
5 | split_before_named_assigns = true
6 | 


--------------------------------------------------------------------------------
/tools/ghsa/.pylintrc:
--------------------------------------------------------------------------------
1 | [MESSAGES CONTROL]
2 | disable=
3 |   broad-except,
4 |   fixme,
5 |   too-few-public-methods,
6 |   too-many-branches,
7 |   too-many-locals,
8 |   unspecified-encoding,
9 | 


--------------------------------------------------------------------------------
/tools/redhat/.pylintrc:
--------------------------------------------------------------------------------
1 | [MESSAGES CONTROL]
2 | disable=
3 |   broad-except,
4 |   fixme,
5 |   too-few-public-methods,
6 |   too-many-branches,
7 |   too-many-locals,
8 |   unspecified-encoding,
9 | 


--------------------------------------------------------------------------------
/docs/Gemfile:
--------------------------------------------------------------------------------
1 | source "https://rubygems.org"
2 | 
3 | gem "github-pages", "~> 228", group: :jekyll_plugins
4 | group :jekyll_plugins do
5 |   gem "jekyll-feed", "~> 0.12"
6 | end
7 | 
8 | gem "webrick", "~> 1.7"
9 | 


--------------------------------------------------------------------------------
/tools/debian/Pipfile:
--------------------------------------------------------------------------------
 1 | [[source]]
 2 | url = "https://pypi.python.org/simple"
 3 | verify_ssl = true
 4 | name = "pypi"
 5 | 
 6 | [packages]
 7 | osv = "*"
 8 | markdownify = "*"
 9 | pandas = "*"
10 | python-dateutil = "*"
11 | 
12 | [dev-packages]
13 | pylint = "*"
14 | yapf = "*"
15 | 


--------------------------------------------------------------------------------
/tools/ghsa/Pipfile:
--------------------------------------------------------------------------------
 1 | [[source]]
 2 | url = "https://pypi.python.org/simple"
 3 | verify_ssl = true
 4 | name = "pypi"
 5 | 
 6 | [packages]
 7 | requests = "*"
 8 | osv = "*"
 9 | 
10 | [dev-packages]
11 | pylint = "*"
12 | yapf = "*"
13 | 
14 | [requires]
15 | python_version = "3.13"
16 | 


--------------------------------------------------------------------------------
/bindings/go/go.sum:
--------------------------------------------------------------------------------
1 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
2 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
3 | google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
4 | google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
5 | 


--------------------------------------------------------------------------------
/tools/redhat/Pipfile:
--------------------------------------------------------------------------------
 1 | [[source]]
 2 | url = "https://pypi.python.org/simple"
 3 | verify_ssl = true
 4 | name = "pypi"
 5 | 
 6 | [dev-packages]
 7 | setuptools = "*"
 8 | pylint = "*"
 9 | yapf = "*"
10 | redhat_osv = {path = "."}
11 | 
12 | [packages]
13 | requests = "*"
14 | setuptools = "*"
15 | packageurl-python = "*"
16 | redhat-osv = {file = ".", editable = true}
17 | 


--------------------------------------------------------------------------------
/.editorconfig:
--------------------------------------------------------------------------------
 1 | # EditorConfig helps developers define and maintain consistent
 2 | # coding styles between different editors and IDEs
 3 | # editorconfig.org
 4 | 
 5 | root = true
 6 | 
 7 | [*]
 8 | end_of_line = lf
 9 | charset = utf-8
10 | trim_trailing_whitespace = true
11 | insert_final_newline = true
12 | indent_style = space
13 | indent_size = 2
14 | 
15 | [*.go]
16 | indent_style = tab
17 | 


--------------------------------------------------------------------------------
/tools/ghsa/README.md:
--------------------------------------------------------------------------------
 1 | # GHSA to OSV converter
 2 | 
 3 | ## Setup
 4 | 
 5 | ```bash
 6 | $ pipenv sync
 7 | $ pipenv shell
 8 | ```
 9 | 
10 | ## Usage
11 | 
12 | ```bash
13 | $ mkdir out
14 | $ python3 dump_ghsa.py --token $GITHUB_TOKEN out
15 | $ mkdir osv
16 | $ python3 convert_ghsa.py -o osv out/*.json
17 | ```
18 | 
19 | ## Unit Test
20 | 
21 | ```bash
22 | $ python3 -m unittest *_test.py
23 | ```
24 | 


--------------------------------------------------------------------------------
/validation/README.md:
--------------------------------------------------------------------------------
 1 | # JSON Validator
 2 | 
 3 | This directory contains a JSON schema to validate OSV entries.
 4 | 
 5 | ## Example Usage
 6 | 
 7 | (Any [validator](https://json-schema.org/implementations#validators) can be used, these are a couple that are known to work)
 8 | 
 9 | ```
10 | $ go run github.com/neilpa/yajsv@latest -s schema.json osv_to_test.json
11 | ```
12 | 
13 | ```
14 | $ pip install check-jsonschema
15 | $ check-jsonschema --schemafile schema.json osv_to_test.json
16 | ```
17 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/checks/schema_test.go:
--------------------------------------------------------------------------------
 1 | package checks_test
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	"github.com/google/go-cmp/cmp"
 8 | )
 9 | 
10 | func TestSchemaHasBeenGenerated(t *testing.T) {
11 | 	t.Parallel()
12 | 
13 | 	var err error
14 | 
15 | 	want, err := os.ReadFile("../../../../validation/schema.json")
16 | 	if err != nil {
17 | 		t.Fatal(err)
18 | 	}
19 | 
20 | 	got, err := os.ReadFile("schema_generated.json")
21 | 	if err != nil {
22 | 		t.Fatal(err)
23 | 	}
24 | 
25 | 	if diff := cmp.Diff(want, got); diff != "" {
26 | 		t.Errorf("Schema needs to be regenerated (-want +got):\n%s", diff)
27 | 	}
28 | }
29 | 


--------------------------------------------------------------------------------
/RELEASING.md:
--------------------------------------------------------------------------------
 1 | # Releasing
 2 | 
 3 | This document outlines the process for creating a new release of the OSV schema.
 4 | 
 5 | ## Release Process
 6 | 
 7 | The release process is as follows:
 8 | 
 9 | 1.  **Bump the version:**
10 |     -   Do a patch version bump for new ecosystems.
11 |     -   Do a minor version bump for non-breaking schema field changes.
12 | 
13 | 2.  **Update the changelog:**
14 |     -   Add any schema changes to the `CHANGELOG.md` file.
15 | 
16 | 3.  **Tag the release:**
17 |     -   Create and push a new git tag for the release.
18 | 
19 | 4.  **Publish GitHub release:**
20 |     -   Create a new release on GitHub with the new version number.
21 | 
22 | 5.  **Update GitHub Pages:**
23 |     -   Update the `live` branch to the new release.
24 | 


--------------------------------------------------------------------------------
/docs/_data/licenses.yml:
--------------------------------------------------------------------------------
 1 | CC-BY-4.0:
 2 |   name: Attribution 4.0 International
 3 |   url: https://creativecommons.org/licenses/by/4.0/
 4 |   image: https://i.creativecommons.org/l/by/4.0/88x31.png
 5 | CC-BY-SA-4.0:
 6 |   name: Attribution-ShareAlike 4.0 International
 7 |   url: https://creativecommons.org/licenses/by-sa/4.0/
 8 |   image: https://i.creativecommons.org/l/by-sa/4.0/88x31.png
 9 | CC-BY-NC-4.0:
10 |   name: Attribution-NonCommercial 4.0 International
11 |   url: https://creativecommons.org/licenses/by-nc/4.0/
12 |   image: https://i.creativecommons.org/l/by-nc/4.0/88x31.png
13 | CC-BY-ND-4.0:
14 |   name: Attribution-NoDerivatives 4.0 International
15 |   url: https://creativecommons.org/licenses/by-nd/4.0/
16 |   image: https://i.creativecommons.org/l/by-nd/4.0/88x31.png
17 | 


--------------------------------------------------------------------------------
/bindings/build.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Copyright 2025 Google LLC
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #      http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | 
16 | protoc --proto_path=../proto --go_out=paths=source_relative:go/osvschema vulnerability.proto
17 | (cd .. && python3 scripts/update-ecosystems-lists.py)
18 | 


--------------------------------------------------------------------------------
/tools/redhat/setup.py:
--------------------------------------------------------------------------------
 1 | """ Convert a CSAF document to OSV format
 2 |     i.e. https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4546.json
 3 | """
 4 | 
 5 | from setuptools import setup
 6 | 
 7 | REQUIRES = ["jsonschema", "requests", "packageurl-python"]
 8 | 
 9 | setup(
10 |     name="redhat_osv",
11 |     version="1.0.0",
12 |     description="Convert Red Hat CSAF documents to OSV format",
13 |     author_email="jshepher@redhat.com",
14 |     url="",
15 |     keywords=["OSV", "CSAF"],
16 |     install_requires=REQUIRES,
17 |     classifiers=[
18 |         "Programming Language :: Python :: 3",
19 |     ],
20 |     packages=["redhat_osv"],
21 |     entry_points={"console_scripts": ["convert_redhat=convert_redhat:main"]},
22 |     long_description=
23 |     "The purpose of this tool is to convert from Red Hat CSAF documents to OSV",
24 | )
25 | 


--------------------------------------------------------------------------------
/tools/osv-linter/go.mod:
--------------------------------------------------------------------------------
 1 | module github.com/ossf/osv-schema/linter
 2 | 
 3 | go 1.24.4
 4 | 
 5 | require (
 6 | 	github.com/google/go-cmp v0.7.0
 7 | 	github.com/google/osv-scalibr v0.3.5-0.20251007022113-0f405599e232
 8 | 	github.com/package-url/packageurl-go v0.1.3
 9 | 	github.com/sethvargo/go-retry v0.2.4
10 | 	github.com/tidwall/gjson v1.18.0
11 | 	github.com/urfave/cli/v2 v2.27.2
12 | 	github.com/xeipuuv/gojsonschema v1.2.0
13 | 	golang.org/x/mod v0.25.0
14 | 	golang.org/x/sync v0.16.0
15 | 	golang.org/x/term v0.32.0
16 | )
17 | 
18 | require (
19 | 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
20 | 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
21 | 	github.com/stretchr/testify v1.6.1 // indirect
22 | 	github.com/tidwall/match v1.1.1 // indirect
23 | 	github.com/tidwall/pretty v1.2.0 // indirect
24 | 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
25 | 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
26 | 	github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect
27 | 	golang.org/x/sys v0.33.0 // indirect
28 | )
29 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/GO-2020-0001.json:
--------------------------------------------------------------------------------
1 | {"schema_version":"1.3.1","id":"GO-2020-0001","modified":"2024-05-20T16:03:47Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2020-36567","GHSA-6vm3-jj99-7229"],"summary":"Arbitrary log line injection in github.com/gin-gonic/gin","details":"The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.","affected":[{"package":{"name":"github.com/gin-gonic/gin","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.6.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/gin-gonic/gin","symbols":["Default","Logger","LoggerWithConfig","LoggerWithFormatter","LoggerWithWriter"]}]}}],"references":[{"type":"FIX","url":"https://github.com/gin-gonic/gin/pull/2237"},{"type":"FIX","url":"https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d"}],"credits":[{"name":"@thinkerou \u003cthinkerou@gmail.com\u003e"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0001","review_status":"REVIEWED"}}


--------------------------------------------------------------------------------
/.github/workflows/ospsSecurityAssesssment.yml:
--------------------------------------------------------------------------------
 1 | name: OSPS Security Assessment
 2 | 
 3 | on:
 4 |   schedule:
 5 |     - cron: "0 9 * * 1"  # Weekly on Mondays at 9 AM UTC
 6 |   workflow_dispatch:  # Allow manual triggering
 7 | 
 8 | jobs:
 9 |   osps-assessment:
10 |     runs-on: ubuntu-latest
11 | 
12 |     permissions:
13 |       contents: read
14 |       security-events: write  # Required for SARIF upload
15 | 
16 |     steps:
17 |       - name: Checkout repository
18 |         uses: actions/checkout@v4
19 | 
20 |       - name: Open Source Project Security Baseline Scanner
21 |         uses: revanite-io/osps-baseline-action@v1.0.0
22 |         with:
23 |           owner: ${{ github.repository_owner }}
24 |           repo: ${{ github.event.repository.name }}
25 |           token: ${{ secrets.OSPS_WORKFLOW_TOKEN }}
26 |           catalog: "osps-baseline"
27 |           upload-sarif: "true"
28 | 
29 |       - name: Upload Assessment Results
30 |         if: always()
31 |         uses: actions/upload-artifact@v4
32 |         with:
33 |           name: osps-assessment-results-${{ github.run_number }}
34 |           path: evaluation_results/
35 |           retention-days: 30
36 | 


--------------------------------------------------------------------------------
/security-insights.yml:
--------------------------------------------------------------------------------
 1 | header:
 2 |   schema-version: 2.1.0
 3 |   last-updated: '2025-11-24'
 4 |   last-reviewed: '2025-11-24'
 5 |   url: https://github.com/ossf/osv-schema
 6 | 
 7 | repository:
 8 |   url: https://github.com/ossf/osv-schema
 9 |   status: active
10 |   accepts-change-request: true
11 |   accepts-automated-change-request: true
12 |   core-team:
13 |     - name: Rex Pan
14 |       affiliation: Google
15 |       primary: true
16 |     - name: Jason Shepherd
17 |       affiliation: Red Hat
18 |       primary: true
19 |     - name: Madison Oliver
20 |       affiliation: GitHub
21 |       primary: true
22 |     - name: Chris Robinson
23 |       affiliation: OpenSSF
24 |       primary: true
25 |     - name: Andrew Pollock
26 |       primary: true
27 |     - name: Vulnerability Disclosures WG
28 |       affiliation: OpenSSF
29 |       email: openssf-wg-vul-disclosures@lists.openssf.org
30 |       primary: true
31 | 
32 |   license:
33 |     url: https://github.com/ossf/osv-schema/blob/main/LICENSE
34 |     expression: Apache-2.0
35 |   security:
36 |     assessments:
37 |       self:
38 |         comment: |
39 |           Self assessment has not yet been completed.
40 | 


--------------------------------------------------------------------------------
/tools/debian/README.md:
--------------------------------------------------------------------------------
 1 | # Debian advisory converter (WIP)
 2 | 
 3 | ## Prerequisites
 4 | 
 5 | Clone the following two repositories:
 6 | - https://salsa.debian.org/security-tracker-team/security-tracker.git
 7 | - https://salsa.debian.org/webmaster-team/webwml.git
 8 | 
 9 | `git` also has to be installed and on the `PATH`, 
10 | used to read modified dates of files 
11 | 
12 | Running the `first_package_finder.py` also requires internet connection.
13 | 
14 | ## Run converter
15 | 
16 | ### Usage:
17 | ```
18 | usage: convert_debian.py [-h] -o OUTPUT_DIR [--adv_type {DSA,DLA,DTSA}] webwml_repo security_tracker_repo
19 | ```
20 | 
21 | #### Options:
22 | `--adv_type`: Specify advisory type:
23 | 
24 | - `DSA`: Debian security advisory
25 | - `DLA`: Debian LTS security advisory
26 | - `DTSA`: Debian testing security advisory
27 | 
28 | `--output-dir, -o`:
29 | Output directory to place the converted osv `.json` files
30 | 
31 | ### Example:
32 | ```
33 | python convert_debian.py --adv_type DSA -o ./output path/to/webwml/ path/to/security-tracker-master/
34 | ```
35 | 
36 | ## Run first_package_finder
37 | 
38 | first_package_finder will output `first_package_cache.json.gz` in the working
39 | directory. 
40 | 
41 | ### Example:
42 | ```
43 | python first_package_finder.py
44 | ```


--------------------------------------------------------------------------------
/tools/redhat/convert_redhat.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | """ Convert a CSAF document to OSV format
 3 |     i.e. https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4546.json
 4 | """
 5 | import argparse
 6 | import sys
 7 | from datetime import datetime
 8 | 
 9 | from redhat_osv.osv import DATE_FORMAT, RedHatConverter
10 | 
11 | 
12 | def main():
13 |     """
14 |     Given a Red Hat CSAF document, covert it to OSV. Writes the OSV file to disk at 'osv' by default
15 |     """
16 |     parser = argparse.ArgumentParser(description='CSAF to OSV Converter')
17 |     parser.add_argument("csaf", metavar="FILE", help='CSAF file to process')
18 |     parser.add_argument('--output_directory', dest='out_dir', default="osv")
19 | 
20 |     args = parser.parse_args()
21 | 
22 |     with open(args.csaf, "r", encoding="utf-8") as in_f:
23 |         csaf_data = in_f.read()
24 | 
25 |     converter = RedHatConverter()
26 |     osv_id, osv_data = converter.convert(csaf_data,
27 |                                          datetime.now().strftime(DATE_FORMAT))
28 | 
29 |     if not osv_data:
30 |         sys.exit(1)
31 | 
32 |     with open(f"{args.out_dir}/{osv_id}.json", "w", encoding="utf-8") as out_f:
33 |         out_f.write(osv_data)
34 | 
35 | 
36 | if __name__ == '__main__':
37 |     main()
38 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/nopackage-GHSA-9v2f-6vcg-3hgv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.4.0",
 3 |   "id": "GHSA-9v2f-6vcg-3hgv",
 4 |   "modified": "2024-07-03T20:05:21Z",
 5 |   "published": "2024-07-01T21:31:15Z",
 6 |   "aliases": [
 7 |     "CVE-2024-39236"
 8 |   ],
 9 |   "summary": "Gradio was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py",
10 |   "details": "Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input.",
11 |   "severity": [
12 |     {
13 |       "type": "CVSS_V3",
14 |       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
15 |     }
16 |   ],
17 |   "affected": [
18 |     {
19 |       "package": {
20 |         "ecosystem": "PyPI",
21 |         "name": "Gradi0"
22 |       },
23 |       "versions": [
24 |         "4.36.1"
25 |       ]
26 |     }
27 |   ],
28 |   "references": [
29 |     {
30 |       "type": "ADVISORY",
31 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39236"
32 |     },
33 |     {
34 |       "type": "WEB",
35 |       "url": "https://github.com/Aaron911/PoC/blob/main/Gradio.md"
36 |     }
37 |   ],
38 |   "database_specific": {
39 |     "cwe_ids": [
40 |       "CWE-94"
41 |     ],
42 |     "severity": "CRITICAL",
43 |     "github_reviewed": true,
44 |     "github_reviewed_at": "2024-07-01T22:13:35Z",
45 |     "nvd_published_at": "2024-07-01T19:15:05Z"
46 |   }
47 | }
48 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/GHSA-9v2f-6vcg-3hgv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.4.0",
 3 |   "id": "GHSA-9v2f-6vcg-3hgv",
 4 |   "modified": "2024-07-03T20:05:21Z",
 5 |   "published": "2024-07-01T21:31:15Z",
 6 |   "aliases": [
 7 |     "CVE-2024-39236"
 8 |   ],
 9 |   "summary": "Gradio was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py",
10 |   "details": "Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input.",
11 |   "severity": [
12 |     {
13 |       "type": "CVSS_V3",
14 |       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
15 |     }
16 |   ],
17 |   "affected": [
18 |     {
19 |       "package": {
20 |         "ecosystem": "PyPI",
21 |         "name": "Gradio"
22 |       },
23 |       "versions": [
24 |         "4.36.1",
25 |         "4.36.-1"
26 |       ]
27 |     }
28 |   ],
29 |   "references": [
30 |     {
31 |       "type": "ADVISORY",
32 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39236"
33 |     },
34 |     {
35 |       "type": "WEB",
36 |       "url": "https://github.com/Aaron911/PoC/blob/main/Gradio.md"
37 |     }
38 |   ],
39 |   "database_specific": {
40 |     "cwe_ids": [
41 |       "CWE-94"
42 |     ],
43 |     "severity": "CRITICAL",
44 |     "github_reviewed": true,
45 |     "github_reviewed_at": "2024-07-01T22:13:35Z",
46 |     "nvd_published_at": "2024-07-01T19:15:05Z"
47 |   }
48 | }
49 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/greater_than_equals_no_patch.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-pxmp-fwjc-4x7q",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-pxmp-fwjc-4x7q"
 6 |     }
 7 |   ],
 8 |   "references": [
 9 |     {
10 |       "url": "https://www.npmjs.com/advisories/1471"
11 |     },
12 |     {
13 |       "url": "https://github.com/advisories/GHSA-pxmp-fwjc-4x7q"
14 |     }
15 |   ],
16 |   "description": "All versions of `marky-markdown` are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is `youtube.com` but it is possible to bypass the validation with sources where `youtube.com` is the sub-domain, such as `youtube.com.evil.co`. This \n\n\n## Recommendation\n\nThis package is no longer maintained. Please upgrade to `@npmcorp/marky-markdown`",
17 |   "summary": "HTML Injection in marky-markdown",
18 |   "severity": "MODERATE",
19 |   "cvss": {
20 |     "score": 0,
21 |     "vectorString": null
22 |   },
23 |   "cwes": {
24 |     "nodes": []
25 |   },
26 |   "permalink": "https://github.com/advisories/GHSA-pxmp-fwjc-4x7q",
27 |   "publishedAt": "2020-09-03T15:45:23Z",
28 |   "updatedAt": "2020-09-03T15:45:23Z",
29 |   "withdrawnAt": null,
30 |   "vulnerabilities": {
31 |     "nodes": [
32 |       {
33 |         "package": {
34 |           "ecosystem": "NPM",
35 |           "name": "marky-markdown"
36 |         },
37 |         "firstPatchedVersion": null,
38 |         "vulnerableVersionRange": ">= 0.0.0"
39 |       }
40 |     ]
41 |   }
42 | }
43 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/greater_than_equals_no_patch.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-pxmp-fwjc-4x7q",
 4 |   "aliases": [],
 5 |   "published": "2020-09-03T15:45:23Z",
 6 |   "modified": "2020-09-03T15:45:23Z",
 7 |   "summary": "HTML Injection in marky-markdown",
 8 |   "details": "All versions of `marky-markdown` are vulnerable to HTML Injection due to a validation bypass. The package only allows iframes where the source is `youtube.com` but it is possible to bypass the validation with sources where `youtube.com` is the sub-domain, such as `youtube.com.evil.co`. This \n\n\n## Recommendation\n\nThis package is no longer maintained. Please upgrade to `@npmcorp/marky-markdown`",
 9 |   "references": [
10 |     {
11 |       "type": "WEB",
12 |       "url": "https://www.npmjs.com/advisories/1471"
13 |     },
14 |     {
15 |       "type": "ADVISORY",
16 |       "url": "https://github.com/advisories/GHSA-pxmp-fwjc-4x7q"
17 |     }
18 |   ],
19 |   "affected": [
20 |     {
21 |       "package": {
22 |         "ecosystem": "npm",
23 |         "name": "marky-markdown"
24 |       },
25 |       "ranges": [
26 |         {
27 |           "type": "SEMVER",
28 |           "events": [
29 |             {
30 |               "introduced": "0.0.0"
31 |             }
32 |           ]
33 |         }
34 |       ],
35 |       "versions": [],
36 |       "database_specific": {
37 |         "ghsa": "https://github.com/advisories/GHSA-pxmp-fwjc-4x7q",
38 |         "cwes": []
39 |       }
40 |     }
41 |   ]
42 | }
43 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/checks/ranges_test.go:
--------------------------------------------------------------------------------
 1 | package checks
 2 | 
 3 | import (
 4 | 	"os"
 5 | 	"testing"
 6 | 
 7 | 	"github.com/tidwall/gjson"
 8 | 
 9 | 	"github.com/google/go-cmp/cmp"
10 | 	"github.com/google/go-cmp/cmp/cmpopts"
11 | )
12 | 
13 | func LoadTestData(filename string) *gjson.Result {
14 | 	content, err := os.ReadFile(filename)
15 | 	if err != nil {
16 | 		panic(err)
17 | 	}
18 | 	record := gjson.ParseBytes(content)
19 | 	return &record
20 | }
21 | 
22 | func TestRangeHasIntroducedEvent(t *testing.T) {
23 | 	t.Parallel()
24 | 
25 | 	type args struct {
26 | 		json *gjson.Result
27 | 	}
28 | 	tests := []struct {
29 | 		name         string
30 | 		args         args
31 | 		wantFindings []CheckError
32 | 	}{
33 | 		{
34 | 			name: "A compliant file",
35 | 			args: args{
36 | 				json: LoadTestData("../../testdata/CVE-2023-41045.json"),
37 | 			},
38 | 			wantFindings: nil,
39 | 		},
40 | 		{
41 | 			name: "A file without an introduced event",
42 | 			args: args{
43 | 				json: LoadTestData("../../testdata/nointroduced-CVE-2023-41045.json"),
44 | 			},
45 | 			wantFindings: []CheckError{{Message: "missing 'introduced' object in event"}},
46 | 		},
47 | 	}
48 | 	for _, tt := range tests {
49 | 		t.Run(tt.name, func(t *testing.T) {
50 | 			gotFindings := RangeHasIntroducedEvent(tt.args.json, &Config{Verbose: true})
51 | 			if diff := cmp.Diff(tt.wantFindings, gotFindings, cmpopts.EquateErrors()); diff != "" {
52 | 				t.Errorf("RangeHasIntroducedEvent() mismatch (-want +got):\n%s", diff)
53 | 			}
54 | 		})
55 | 	}
56 | }
57 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/equals_no_patch.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-4g4c-8gqh-m4vm",
 4 |   "aliases": [
 5 |     "CVE-2019-13589"
 6 |   ],
 7 |   "published": "2019-07-16T00:41:55Z",
 8 |   "modified": "2021-05-10T22:18:29Z",
 9 |   "summary": "Inclusion of Functionality from Untrusted Control Sphere in Ruby",
10 |   "details": "The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5.",
11 |   "references": [
12 |     {
13 |       "type": "ADVISORY",
14 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13589"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://github.com/advisories/GHSA-4g4c-8gqh-m4vm"
19 |     }
20 |   ],
21 |   "affected": [
22 |     {
23 |       "package": {
24 |         "ecosystem": "RubyGems",
25 |         "name": "paranoid2"
26 |       },
27 |       "ranges": [],
28 |       "versions": [
29 |         "1.1.6"
30 |       ],
31 |       "database_specific": {
32 |         "ghsa": "https://github.com/advisories/GHSA-4g4c-8gqh-m4vm",
33 |         "cwes": [
34 |           {
35 |             "cweId": "CWE-829",
36 |             "description": "The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.",
37 |             "name": "Inclusion of Functionality from Untrusted Control Sphere"
38 |           }
39 |         ]
40 |       }
41 |     }
42 |   ]
43 | }
44 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/MAL-2024-10238.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "modified": "2024-10-27T13:55:45Z",
 3 |   "published": "2024-10-27T13:55:45Z",
 4 |   "schema_version": "1.5.0",
 5 |   "id": "MAL-2024-10238",
 6 |   "summary": "Malicious code in 123bla (PyPI)",
 7 |   "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (482493bb0425cda1267f50c860740681a8c0e91958623ed8d949b9db65b2e4a9)\nThe OpenSSF Package Analysis project identified '123bla' @ 0.0.1 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n",
 8 |   "affected": [
 9 |     {
10 |       "package": {
11 |         "ecosystem": "PyPI",
12 |         "name": "123bla"
13 |       },
14 |       "versions": [
15 |         "0.0.1"
16 |       ]
17 |     }
18 |   ],
19 |   "credits": [
20 |     {
21 |       "name": "OpenSSF: Package Analysis",
22 |       "type": "FINDER",
23 |       "contact": [
24 |         "https://github.com/ossf/package-analysis",
25 |         "https://openssf.slack.com/channels/package_analysis"
26 |       ]
27 |     }
28 |   ],
29 |   "database_specific": {
30 |     "malicious-packages-origins": [
31 |       {
32 |         "import_time": "2024-10-27T14:05:09.316165759Z",
33 |         "modified_time": "2024-10-27T13:55:45Z",
34 |         "sha256": "482493bb0425cda1267f50c860740681a8c0e91958623ed8d949b9db65b2e4a9",
35 |         "source": "ossf-package-analysis",
36 |         "versions": [
37 |           "0.0.1"
38 |         ]
39 |       }
40 |     ]
41 |   }
42 | }
43 | 


--------------------------------------------------------------------------------
/scripts/validate-schema-table.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import os
 4 | from html.parser import HTMLParser
 5 | 
 6 | 
 7 | class UnexpectedTagError(Exception):
 8 |   pass
 9 | 
10 | 
11 | class HTMLValidator(HTMLParser):
12 |   def __init__(self) -> None:
13 |     super().__init__()
14 | 
15 |     self.__tags: list[str] = []
16 | 
17 |   def handle_starttag(self, tag: str, attrs: list[tuple[str, str | None]]) -> None:
18 |     self.__tags.append(tag)
19 | 
20 |   def handle_endtag(self, tag: str) -> None:
21 |     last_tag = self.__tags.pop()
22 |     if last_tag != tag:
23 |       raise UnexpectedTagError(last_tag)
24 | 
25 | 
26 | def extract_schema_table() -> tuple[str, int]:
27 |   raw_table = ''
28 |   index = -1
29 | 
30 |   with open('docs/schema.md') as f:
31 |     for i, line in enumerate(f.readlines()):
32 |       if line == '<table>\n':
33 |         index = i + 1
34 |         raw_table += line
35 |       if raw_table != '':
36 |         raw_table += line
37 |       if line == '</table>\n':
38 |         break
39 |   return raw_table, index
40 | 
41 | 
42 | table, starting_line = extract_schema_table()
43 | 
44 | validator = HTMLValidator()
45 | 
46 | try:
47 |   validator.feed(table)
48 | except UnexpectedTagError as e:
49 |   if 'CI' in os.environ:
50 |     print(
51 |       f'::error file=docs/schema.md,line={starting_line}::unexpected {e} tag in table - ensure that the tags are properly paired'
52 |     )
53 |   print(
54 |     f'unexpected {e} tag in docs/schema.md databases table - ensure that the tags are properly paired'
55 |   )
56 |   exit(1)
57 | 


--------------------------------------------------------------------------------
/tools/redhat/redhat_osv/convert_redhat_test.py:
--------------------------------------------------------------------------------
 1 | """Tests for converting a CSAF document to OSV format"""
 2 | import unittest
 3 | from datetime import datetime
 4 | import json
 5 | from redhat_osv.osv import DATE_FORMAT, RedHatConverter
 6 | 
 7 | 
 8 | class TestRedHatConverter(unittest.TestCase):
 9 |     """Test end-to-end convertion from RedHAt CSAF to OSV format"""
10 | 
11 |     test_advisories = ["2024_4546", "2024_6220"]
12 | 
13 |     def test_convert_redhat(self):
14 |         """Test conversion of Red Hat CSAF files to OSV format."""
15 |         for test_advisory in self.test_advisories:
16 |             modified_time = datetime.strptime("2024-09-02T14:30:00",
17 |                                               "%Y-%m-%dT%H:%M:%S")
18 |             csaf_file = f"testdata/CSAF/rhsa-{test_advisory}.json"
19 |             expected_file = f"testdata/OSV/RHSA-{test_advisory}.json"
20 | 
21 |             with open(csaf_file, "r", encoding="utf-8") as fp:
22 |                 csaf_data = fp.read()
23 |             converter = RedHatConverter()
24 |             osv_data = converter.convert(csaf_data,
25 |                                          modified_time.strftime(DATE_FORMAT))
26 | 
27 |             advisory_id = test_advisory.replace("_", ":")
28 |             assert osv_data[0] == f"RHSA-{advisory_id}"
29 |             result_data = json.loads(osv_data[1])
30 | 
31 |             with open(expected_file, "r", encoding="utf-8") as fp:
32 |                 expected_data = json.load(fp)
33 |             assert expected_data == result_data
34 | 
35 | 
36 | if __name__ == '__main__':
37 |     unittest.main()
38 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/checks/schema.go:
--------------------------------------------------------------------------------
 1 | package checks
 2 | 
 3 | import (
 4 | 	_ "embed"
 5 | 	"fmt"
 6 | 	"strings"
 7 | 
 8 | 	"github.com/tidwall/gjson"
 9 | 	"github.com/xeipuuv/gojsonschema"
10 | )
11 | 
12 | // Please run 'go generate ./...' to sync schema.json.
13 | //go:generate cp ../../../../validation/schema.json schema_generated.json
14 | 
15 | //go:embed schema_generated.json
16 | var LoadedSchema []byte
17 | 
18 | var CheckInvalidSchema = &CheckDef{
19 | 	Code:        "SCH:001",
20 | 	Name:        "conforms-to-schema",
21 | 	Description: "the record must conform to the OSV JSON schema",
22 | 	Check:       SchemaCheck,
23 | }
24 | 
25 | func SchemaCheck(json *gjson.Result, config *Config) []CheckError {
26 | 	schemaLoader := gojsonschema.NewBytesLoader(LoadedSchema)
27 | 	documentLoader := gojsonschema.NewStringLoader(json.Raw)
28 | 
29 | 	result, err := gojsonschema.Validate(schemaLoader, documentLoader)
30 | 	if err != nil {
31 | 		// This should not happen with a valid embedded schema.
32 | 		// It indicates a problem with the linter itself.
33 | 		panic(fmt.Sprintf("schema validation failed: %v", err))
34 | 	}
35 | 
36 | 	if result.Valid() {
37 | 		return nil
38 | 	}
39 | 
40 | 	var errors []string
41 | 	for _, desc := range result.Errors() {
42 | 		if config.NewEcosystem && strings.Contains(desc.Description(), "Does not match pattern") {
43 | 			continue
44 | 		}
45 | 		errors = append(errors, fmt.Sprintf("- %s", desc))
46 | 	}
47 | 
48 | 	if len(errors) == 0 {
49 | 		return nil
50 | 	}
51 | 
52 | 	return []CheckError{
53 | 		{
54 | 			Message: fmt.Sprintf("Record does not conform to schema:\n %s", strings.Join(errors, "\n")),
55 | 		},
56 | 	}
57 | }
58 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/multiple_ranges_in_package.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-9qj7-jvg4-qr2x",
 4 |   "aliases": [
 5 |     "CVE-2013-2119"
 6 |   ],
 7 |   "published": "2017-10-24T18:33:37Z",
 8 |   "modified": "2021-09-08T20:47:39Z",
 9 |   "summary": "Moderate severity vulnerability that affects passenger",
10 |   "details": "Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary \"config\" file in a directory with a predictable name in /tmp/ before it is used by the gem.",
11 |   "references": [
12 |     {
13 |       "type": "ADVISORY",
14 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2119"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://github.com/advisories/GHSA-9qj7-jvg4-qr2x"
19 |     }
20 |   ],
21 |   "affected": [
22 |     {
23 |       "package": {
24 |         "ecosystem": "RubyGems",
25 |         "name": "passenger"
26 |       },
27 |       "ranges": [
28 |         {
29 |           "type": "ECOSYSTEM",
30 |           "events": [
31 |             {
32 |               "introduced": "0"
33 |             },
34 |             {
35 |               "introduced": "4.0.1"
36 |             },
37 |             {
38 |               "fixed": "4.0.5"
39 |             },
40 |             {
41 |               "fixed": "3.0.21"
42 |             }
43 |           ]
44 |         }
45 |       ],
46 |       "versions": [],
47 |       "database_specific": {
48 |         "ghsa": "https://github.com/advisories/GHSA-9qj7-jvg4-qr2x",
49 |         "cwes": []
50 |       }
51 |     }
52 |   ]
53 | }
54 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/GO-2024-2963.json:
--------------------------------------------------------------------------------
1 | {"schema_version":"1.3.1","id":"GO-2024-2963","modified":"2024-07-02T20:11:00Z","published":"2024-07-02T20:11:00Z","aliases":["CVE-2024-24791"],"summary":"Denial of service due to improper 100-continue handling in net/http","details":"The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an \"Expect: 100-continue\" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.\n\nAn attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending \"Expect: 100-continue\" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.","affected":[{"package":{"name":"stdlib","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.21.12"},{"introduced":"1.22.0-0"},{"fixed":"1.22.5"}]}],"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["Client.CloseIdleConnections","Client.Do","Client.Get","Client.Head","Client.Post","Client.PostForm","Get","Head","Post","PostForm","Transport.CancelRequest","Transport.CloseIdleConnections","Transport.RoundTrip","persistConn.readResponse"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/591255"},{"type":"REPORT","url":"https://go.dev/issue/67555"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ"}],"credits":[{"name":"Geoff Franks"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2963","review_status":"REVIEWED"}}


--------------------------------------------------------------------------------
/tools/ghsa/testdata/equals_no_patch.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-4g4c-8gqh-m4vm",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-4g4c-8gqh-m4vm"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2019-13589"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13589"
14 |     },
15 |     {
16 |       "url": "https://github.com/advisories/GHSA-4g4c-8gqh-m4vm"
17 |     }
18 |   ],
19 |   "description": "The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5.",
20 |   "summary": "Inclusion of Functionality from Untrusted Control Sphere in Ruby",
21 |   "severity": "CRITICAL",
22 |   "cvss": {
23 |     "score": 9.8,
24 |     "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
25 |   },
26 |   "cwes": {
27 |     "nodes": [
28 |       {
29 |         "cweId": "CWE-829",
30 |         "description": "The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.",
31 |         "name": "Inclusion of Functionality from Untrusted Control Sphere"
32 |       }
33 |     ]
34 |   },
35 |   "permalink": "https://github.com/advisories/GHSA-4g4c-8gqh-m4vm",
36 |   "publishedAt": "2019-07-16T00:41:55Z",
37 |   "updatedAt": "2021-05-10T22:18:29Z",
38 |   "withdrawnAt": null,
39 |   "vulnerabilities": {
40 |     "nodes": [
41 |       {
42 |         "package": {
43 |           "ecosystem": "RUBYGEMS",
44 |           "name": "paranoid2"
45 |         },
46 |         "firstPatchedVersion": null,
47 |         "vulnerableVersionRange": "= 1.1.6"
48 |       }
49 |     ]
50 |   }
51 | }
52 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/less_than_equals_no_patch.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-jvf4-g24p-2qgw",
 4 |   "aliases": [
 5 |     "CVE-2020-7738"
 6 |   ],
 7 |   "published": "2021-05-10T18:37:34Z",
 8 |   "modified": "2021-05-10T18:37:34Z",
 9 |   "summary": "Arbitrary Code Execution in shiba",
10 |   "details": "\"All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement , safeLoad().\"",
11 |   "references": [
12 |     {
13 |       "type": "ADVISORY",
14 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7738"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://github.com/advisories/GHSA-jvf4-g24p-2qgw"
19 |     }
20 |   ],
21 |   "affected": [
22 |     {
23 |       "package": {
24 |         "ecosystem": "npm",
25 |         "name": "shiba"
26 |       },
27 |       "ranges": [
28 |         {
29 |           "type": "SEMVER",
30 |           "events": [
31 |             {
32 |               "introduced": "0"
33 |             }
34 |           ]
35 |         }
36 |       ],
37 |       "versions": [],
38 |       "database_specific": {
39 |         "ghsa": "https://github.com/advisories/GHSA-jvf4-g24p-2qgw",
40 |         "cwes": [
41 |           {
42 |             "cweId": "CWE-94",
43 |             "description": "The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.",
44 |             "name": "Improper Control of Generation of Code ('Code Injection')"
45 |           }
46 |         ]
47 |       }
48 |     }
49 |   ]
50 | }
51 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/multiple_ranges_in_package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-9qj7-jvg4-qr2x",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-9qj7-jvg4-qr2x"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2013-2119"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2119"
14 |     },
15 |     {
16 |       "url": "https://github.com/advisories/GHSA-9qj7-jvg4-qr2x"
17 |     }
18 |   ],
19 |   "description": "Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary \"config\" file in a directory with a predictable name in /tmp/ before it is used by the gem.",
20 |   "summary": "Moderate severity vulnerability that affects passenger",
21 |   "severity": "MODERATE",
22 |   "cvss": {
23 |     "score": 0,
24 |     "vectorString": null
25 |   },
26 |   "cwes": {
27 |     "nodes": []
28 |   },
29 |   "permalink": "https://github.com/advisories/GHSA-9qj7-jvg4-qr2x",
30 |   "publishedAt": "2017-10-24T18:33:37Z",
31 |   "updatedAt": "2021-09-08T20:47:39Z",
32 |   "withdrawnAt": null,
33 |   "vulnerabilities": {
34 |     "nodes": [
35 |       {
36 |         "package": {
37 |           "ecosystem": "RUBYGEMS",
38 |           "name": "passenger"
39 |         },
40 |         "firstPatchedVersion": {
41 |           "identifier": "4.0.5"
42 |         },
43 |         "vulnerableVersionRange": ">= 4.0.1, < 4.0.5"
44 |       },
45 |       {
46 |         "package": {
47 |           "ecosystem": "RUBYGEMS",
48 |           "name": "passenger"
49 |         },
50 |         "firstPatchedVersion": {
51 |           "identifier": "3.0.21"
52 |         },
53 |         "vulnerableVersionRange": "< 3.0.21"
54 |       }
55 |     ]
56 |   }
57 | }
58 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/less_than_equals_no_patch.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-jvf4-g24p-2qgw",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-jvf4-g24p-2qgw"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2020-7738"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7738"
14 |     },
15 |     {
16 |       "url": "https://github.com/advisories/GHSA-jvf4-g24p-2qgw"
17 |     }
18 |   ],
19 |   "description": "\"All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement , safeLoad().\"",
20 |   "summary": "Arbitrary Code Execution in shiba",
21 |   "severity": "HIGH",
22 |   "cvss": {
23 |     "score": 8.3,
24 |     "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
25 |   },
26 |   "cwes": {
27 |     "nodes": [
28 |       {
29 |         "cweId": "CWE-94",
30 |         "description": "The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.",
31 |         "name": "Improper Control of Generation of Code ('Code Injection')"
32 |       }
33 |     ]
34 |   },
35 |   "permalink": "https://github.com/advisories/GHSA-jvf4-g24p-2qgw",
36 |   "publishedAt": "2021-05-10T18:37:34Z",
37 |   "updatedAt": "2021-05-10T18:37:34Z",
38 |   "withdrawnAt": null,
39 |   "vulnerabilities": {
40 |     "nodes": [
41 |       {
42 |         "package": {
43 |           "ecosystem": "NPM",
44 |           "name": "shiba"
45 |         },
46 |         "firstPatchedVersion": null,
47 |         "vulnerableVersionRange": "<= 1.2.1"
48 |       }
49 |     ]
50 |   }
51 | }
52 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/withdrawn.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-35c4-f3rq-f9g3",
 4 |   "aliases": [
 5 |     "CVE-2015-3227"
 6 |   ],
 7 |   "published": "2018-09-17T21:57:23Z",
 8 |   "modified": "2019-07-03T21:02:03Z",
 9 |   "withdrawn": "2018-10-11T17:29:49Z",
10 |   "summary": "Moderate severity vulnerability that affects activesupport",
11 |   "details": "Withdrawn, accidental duplicate publish.\r\n\r\nThe (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.",
12 |   "references": [
13 |     {
14 |       "type": "ADVISORY",
15 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3227"
16 |     },
17 |     {
18 |       "type": "ADVISORY",
19 |       "url": "https://github.com/advisories/GHSA-35c4-f3rq-f9g3"
20 |     }
21 |   ],
22 |   "affected": [
23 |     {
24 |       "package": {
25 |         "ecosystem": "RubyGems",
26 |         "name": "activesupport"
27 |       },
28 |       "ranges": [
29 |         {
30 |           "type": "ECOSYSTEM",
31 |           "events": [
32 |             {
33 |               "introduced": "3.2.0"
34 |             },
35 |             {
36 |               "fixed": "3.2.22"
37 |             },
38 |             {
39 |               "introduced": "4.2.0"
40 |             },
41 |             {
42 |               "fixed": "4.2.2"
43 |             },
44 |             {
45 |               "introduced": "4.0.0"
46 |             },
47 |             {
48 |               "fixed": "4.1.11"
49 |             }
50 |           ]
51 |         }
52 |       ],
53 |       "versions": [],
54 |       "database_specific": {
55 |         "ghsa": "https://github.com/advisories/GHSA-35c4-f3rq-f9g3",
56 |         "cwes": []
57 |       }
58 |     }
59 |   ]
60 | }
61 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/npm_greater_than.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-mhpp-875w-9cpv",
 4 |   "aliases": [
 5 |     "CVE-2016-10707"
 6 |   ],
 7 |   "published": "2018-01-22T13:32:42Z",
 8 |   "modified": "2021-09-15T20:10:34Z",
 9 |   "summary": "Denial of Service in jquery",
10 |   "details": "Affected versions of `jquery` use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, `jquery` enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.",
11 |   "references": [
12 |     {
13 |       "type": "ADVISORY",
14 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10707"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://github.com/advisories/GHSA-mhpp-875w-9cpv"
19 |     }
20 |   ],
21 |   "affected": [
22 |     {
23 |       "package": {
24 |         "ecosystem": "npm",
25 |         "name": "jquery"
26 |       },
27 |       "ranges": [
28 |         {
29 |           "type": "SEMVER",
30 |           "events": [
31 |             {
32 |               "introduced": "2.1.1-0"
33 |             },
34 |             {
35 |               "fixed": "3.0.0"
36 |             }
37 |           ]
38 |         }
39 |       ],
40 |       "versions": [],
41 |       "database_specific": {
42 |         "ghsa": "https://github.com/advisories/GHSA-mhpp-875w-9cpv",
43 |         "cwes": [
44 |           {
45 |             "cweId": "CWE-400",
46 |             "description": "The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
47 |             "name": "Uncontrolled Resource Consumption"
48 |           }
49 |         ]
50 |       }
51 |     }
52 |   ]
53 | }
54 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/npm_greater_than.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-mhpp-875w-9cpv",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-mhpp-875w-9cpv"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2016-10707"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10707"
14 |     },
15 |     {
16 |       "url": "https://github.com/advisories/GHSA-mhpp-875w-9cpv"
17 |     }
18 |   ],
19 |   "description": "Affected versions of `jquery` use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, `jquery` enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.",
20 |   "summary": "Denial of Service in jquery",
21 |   "severity": "HIGH",
22 |   "cvss": {
23 |     "score": 7.5,
24 |     "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
25 |   },
26 |   "cwes": {
27 |     "nodes": [
28 |       {
29 |         "cweId": "CWE-400",
30 |         "description": "The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.",
31 |         "name": "Uncontrolled Resource Consumption"
32 |       }
33 |     ]
34 |   },
35 |   "permalink": "https://github.com/advisories/GHSA-mhpp-875w-9cpv",
36 |   "publishedAt": "2018-01-22T13:32:42Z",
37 |   "updatedAt": "2021-09-15T20:10:34Z",
38 |   "withdrawnAt": null,
39 |   "vulnerabilities": {
40 |     "nodes": [
41 |       {
42 |         "package": {
43 |           "ecosystem": "NPM",
44 |           "name": "jquery"
45 |         },
46 |         "firstPatchedVersion": {
47 |           "identifier": "3.0.0"
48 |         },
49 |         "vulnerableVersionRange": "> 2.1.0, < 3.0.0"
50 |       }
51 |     ]
52 |   }
53 | }
54 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/less_than_equals_with_patch.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-f89g-whpf-6q9m",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-f89g-whpf-6q9m"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2017-16008"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16008"
14 |     },
15 |     {
16 |       "url": "https://github.com/advisories/GHSA-f89g-whpf-6q9m"
17 |     }
18 |   ],
19 |   "description": "Affected versions of `i18next` allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.\n\n## Proof of Concept\n```\nvar init = i18n.init({debug: true}, function(){\n  var test = i18n.t('__firstName__ __lastName__', {\n        escapeInterpolation: true,\n        firstName: '__lastNameHTML__',\n        lastName: '<script>',\n  });\n  console.log(test);\n});\n// equals \"<script> &lt;script&gt;\"\n```\n\n\n## Recommendation\n\nUpdate to version 1.10.3 or later.",
20 |   "summary": "Cross-Site Scripting in i18next",
21 |   "severity": "MODERATE",
22 |   "cvss": {
23 |     "score": 0,
24 |     "vectorString": null
25 |   },
26 |   "cwes": {
27 |     "nodes": [
28 |       {
29 |         "cweId": "CWE-79",
30 |         "description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
31 |         "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
32 |       }
33 |     ]
34 |   },
35 |   "permalink": "https://github.com/advisories/GHSA-f89g-whpf-6q9m",
36 |   "publishedAt": "2018-11-09T17:46:56Z",
37 |   "updatedAt": "2021-01-08T18:53:47Z",
38 |   "withdrawnAt": null,
39 |   "vulnerabilities": {
40 |     "nodes": [
41 |       {
42 |         "package": {
43 |           "ecosystem": "NPM",
44 |           "name": "i18next"
45 |         },
46 |         "firstPatchedVersion": {
47 |           "identifier": "1.10.3"
48 |         },
49 |         "vulnerableVersionRange": "<= 1.10.2"
50 |       }
51 |     ]
52 |   }
53 | }
54 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/checks/packages_test.go:
--------------------------------------------------------------------------------
 1 | package checks
 2 | 
 3 | import (
 4 | 	"reflect"
 5 | 	"testing"
 6 | 
 7 | 	"github.com/tidwall/gjson"
 8 | )
 9 | 
10 | func TestPackageExists(t *testing.T) {
11 | 	t.Parallel()
12 | 
13 | 	type args struct {
14 | 		json   *gjson.Result
15 | 		config *Config
16 | 	}
17 | 	tests := []struct {
18 | 		name         string
19 | 		args         args
20 | 		wantFindings []CheckError
21 | 	}{
22 | 		{
23 | 			name: "A malicious PyPI package no longer existing",
24 | 			args: args{
25 | 				json:   LoadTestData("../../testdata/MAL-2024-10238.json"),
26 | 				config: &Config{},
27 | 			},
28 | 			wantFindings: []CheckError{{Code: "", Message: "package \"123bla\" not found in \"PyPI\""}},
29 | 		},
30 | 	}
31 | 	for _, tt := range tests {
32 | 		t.Run(tt.name, func(t *testing.T) {
33 | 			if gotFindings := PackageExists(tt.args.json, tt.args.config); !reflect.DeepEqual(gotFindings, tt.wantFindings) {
34 | 				t.Errorf("PackageExists() = %v, want %v", gotFindings, tt.wantFindings)
35 | 			}
36 | 		})
37 | 	}
38 | }
39 | 
40 | func TestPackageVersionsExists(t *testing.T) {
41 | 	t.Parallel()
42 | 
43 | 	type args struct {
44 | 		json   *gjson.Result
45 | 		config *Config
46 | 	}
47 | 	tests := []struct {
48 | 		name         string
49 | 		args         args
50 | 		wantFindings []CheckError
51 | 	}{
52 | 		{
53 | 			name: "GIT_vuln_without_ecosystem_filter",
54 | 			args: args{
55 | 				json:   LoadTestData("../../testdata/CVE-2018-5407.json"),
56 | 				config: &Config{},
57 | 			},
58 | 		},
59 | 		{
60 | 			name: "PyPI_vuln_with_different_ecosystem_filter",
61 | 			args: args{
62 | 				json:   LoadTestData("../../testdata/GHSA-9v2f-6vcg-3hgv.json"),
63 | 				config: &Config{Ecosystems: []string{"npm"}},
64 | 			},
65 | 		},
66 | 	}
67 | 	for _, tt := range tests {
68 | 		t.Run(tt.name, func(t *testing.T) {
69 | 			t.Parallel()
70 | 
71 | 			if gotFindings := PackageVersionsExist(tt.args.json, tt.args.config); !reflect.DeepEqual(gotFindings, tt.wantFindings) {
72 | 				t.Errorf("PackageVersionsExist() = %v, want %v", gotFindings, tt.wantFindings)
73 | 			}
74 | 		})
75 | 	}
76 | }
77 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/less_than_equals_with_patch.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-f89g-whpf-6q9m",
 4 |   "aliases": [
 5 |     "CVE-2017-16008"
 6 |   ],
 7 |   "published": "2018-11-09T17:46:56Z",
 8 |   "modified": "2021-01-08T18:53:47Z",
 9 |   "summary": "Cross-Site Scripting in i18next",
10 |   "details": "Affected versions of `i18next` allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.\n\n## Proof of Concept\n```\nvar init = i18n.init({debug: true}, function(){\n  var test = i18n.t('__firstName__ __lastName__', {\n        escapeInterpolation: true,\n        firstName: '__lastNameHTML__',\n        lastName: '<script>',\n  });\n  console.log(test);\n});\n// equals \"<script> &lt;script&gt;\"\n```\n\n\n## Recommendation\n\nUpdate to version 1.10.3 or later.",
11 |   "references": [
12 |     {
13 |       "type": "ADVISORY",
14 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16008"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://github.com/advisories/GHSA-f89g-whpf-6q9m"
19 |     }
20 |   ],
21 |   "affected": [
22 |     {
23 |       "package": {
24 |         "ecosystem": "npm",
25 |         "name": "i18next"
26 |       },
27 |       "ranges": [
28 |         {
29 |           "type": "SEMVER",
30 |           "events": [
31 |             {
32 |               "introduced": "0"
33 |             },
34 |             {
35 |               "fixed": "1.10.3"
36 |             }
37 |           ]
38 |         }
39 |       ],
40 |       "versions": [],
41 |       "database_specific": {
42 |         "ghsa": "https://github.com/advisories/GHSA-f89g-whpf-6q9m",
43 |         "cwes": [
44 |           {
45 |             "cweId": "CWE-79",
46 |             "description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
47 |             "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
48 |           }
49 |         ]
50 |       }
51 |     }
52 |   ]
53 | }
54 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/faulttolerant/http.go:
--------------------------------------------------------------------------------
 1 | package faulttolerant
 2 | 
 3 | import (
 4 | 	"context"
 5 | 	"fmt"
 6 | 	"net/http"
 7 | 	"time"
 8 | 
 9 | 	"github.com/sethvargo/go-retry"
10 | )
11 | 
12 | // Make a HTTP GET request for url and retry 3 times, with an exponential backoff.
13 | func Get(url string) (resp *http.Response, err error) {
14 | 	backoff := retry.NewExponential(1 * time.Second)
15 | 	if err := retry.Do(context.Background(), retry.WithMaxRetries(3, backoff), func(ctx context.Context) error {
16 | 		req, err := http.NewRequest("GET", url, nil)
17 | 		if err != nil {
18 | 			return err
19 | 		}
20 | 
21 | 		req.Header.Set("User-Agent", "osv-linter")
22 | 
23 | 		r, err := http.DefaultClient.Do(req)
24 | 		if err != nil {
25 | 			return err
26 | 		}
27 | 
28 | 		switch r.StatusCode / 100 {
29 | 		case 4:
30 | 			return fmt.Errorf("bad response: %v", r.StatusCode)
31 | 		case 5:
32 | 			return retry.RetryableError(fmt.Errorf("bad response: %v", r.StatusCode))
33 | 		default:
34 | 			resp = r
35 | 			return nil
36 | 		}
37 | 	}); err != nil {
38 | 		return nil, fmt.Errorf("fail: %q: %v", url, err)
39 | 	}
40 | 	return resp, err
41 | }
42 | 
43 | // Make a HTTP HEAD request for url and retry 3 times, with an exponential backoff.
44 | func Head(url string) (resp *http.Response, err error) {
45 | 	backoff := retry.NewExponential(1 * time.Second)
46 | 	if err := retry.Do(context.Background(), retry.WithMaxRetries(3, backoff), func(ctx context.Context) error {
47 | 		req, err := http.NewRequest("HEAD", url, nil)
48 | 		if err != nil {
49 | 			return err
50 | 		}
51 | 
52 | 		req.Header.Set("User-Agent", "osv-linter")
53 | 
54 | 		r, err := http.DefaultClient.Do(req)
55 | 		if err != nil {
56 | 			return err
57 | 		}
58 | 		defer r.Body.Close()
59 | 
60 | 		switch r.StatusCode / 100 {
61 | 		case 4:
62 | 			return fmt.Errorf("bad response: %v", r.StatusCode)
63 | 		case 5:
64 | 			return retry.RetryableError(fmt.Errorf("bad response: %v", r.StatusCode))
65 | 		default:
66 | 			resp = r
67 | 			return nil
68 | 		}
69 | 	}); err != nil {
70 | 		return nil, fmt.Errorf("fail: %q: %v", url, err)
71 | 	}
72 | 	return resp, err
73 | }
74 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/withdrawn.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-35c4-f3rq-f9g3",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-35c4-f3rq-f9g3"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2015-3227"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3227"
14 |     },
15 |     {
16 |       "url": "https://github.com/advisories/GHSA-35c4-f3rq-f9g3"
17 |     }
18 |   ],
19 |   "description": "Withdrawn, accidental duplicate publish.\r\n\r\nThe (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.",
20 |   "summary": "Moderate severity vulnerability that affects activesupport",
21 |   "severity": "MODERATE",
22 |   "cvss": {
23 |     "score": 0,
24 |     "vectorString": null
25 |   },
26 |   "cwes": {
27 |     "nodes": []
28 |   },
29 |   "permalink": "https://github.com/advisories/GHSA-35c4-f3rq-f9g3",
30 |   "publishedAt": "2018-09-17T21:57:23Z",
31 |   "updatedAt": "2019-07-03T21:02:03Z",
32 |   "withdrawnAt": "2018-10-11T17:29:49Z",
33 |   "vulnerabilities": {
34 |     "nodes": [
35 |       {
36 |         "package": {
37 |           "ecosystem": "RUBYGEMS",
38 |           "name": "activesupport"
39 |         },
40 |         "firstPatchedVersion": {
41 |           "identifier": "3.2.22"
42 |         },
43 |         "vulnerableVersionRange": ">= 3.2.0, < 3.2.22"
44 |       },
45 |       {
46 |         "package": {
47 |           "ecosystem": "RUBYGEMS",
48 |           "name": "activesupport"
49 |         },
50 |         "firstPatchedVersion": {
51 |           "identifier": "4.2.2"
52 |         },
53 |         "vulnerableVersionRange": ">= 4.2.0, < 4.2.2"
54 |       },
55 |       {
56 |         "package": {
57 |           "ecosystem": "RUBYGEMS",
58 |           "name": "activesupport"
59 |         },
60 |         "firstPatchedVersion": {
61 |           "identifier": "4.1.11"
62 |         },
63 |         "vulnerableVersionRange": ">= 4.0.0, < 4.1.11"
64 |       }
65 |     ]
66 |   }
67 | }
68 | 


--------------------------------------------------------------------------------
/docs/_config.yml:
--------------------------------------------------------------------------------
 1 | # Welcome to Jekyll!
 2 | #
 3 | # This config file is meant for settings that affect your whole blog, values
 4 | # which you are expected to set up once and rarely edit after that. If you find
 5 | # yourself editing this file very often, consider using Jekyll's data files
 6 | # feature for the data you need to update frequently.
 7 | #
 8 | # For technical reasons, this file is *NOT* reloaded automatically when you use
 9 | # 'bundle exec jekyll serve'. If you change this file, please restart the server process.
10 | #
11 | # If you need help with YAML syntax, here are some quick references for you: 
12 | # https://learn-the-web.algonquindesign.ca/topics/markdown-yaml-cheat-sheet/#yaml
13 | # https://learnxinyminutes.com/docs/yaml/
14 | #
15 | # Site settings
16 | # These are used to personalize your new site. If you look in the HTML files,
17 | # you will see them accessed via {{ site.title }}, {{ site.email }}, and so on.
18 | # You can create any custom variable you would like, and they will be accessible
19 | # in the templates via {{ site.myvariable }}.
20 | 
21 | title: Open Source Vulnerability schema
22 | description: >- # this means to ignore newlines until "baseurl:"
23 |   Open Source Vulnerability schema.
24 | baseurl: "/osv-schema" # the subpath of your site, e.g. /blog
25 | url: "" # the base hostname & protocol for your site, e.g. http://example.com
26 | 
27 | remote_theme: kitian616/jekyll-TeXt-theme
28 | repository: ossf/osv-schema
29 | repository_tree: main/docs
30 | 
31 | plugins:
32 |   - "jekyll-github-metadata"
33 | 
34 | # Exclude from processing.
35 | # The following items will not be processed, by default.
36 | # Any item listed under the `exclude:` key here will be automatically added to
37 | # the internal "default list".
38 | #
39 | # Excluded items can be processed by explicitly listing the directories or
40 | # their entries' file path in the `include:` list.
41 | #
42 | # exclude:
43 | #   - .sass-cache/
44 | #   - .jekyll-cache/
45 | #   - gemfiles/
46 | #   - Gemfile
47 | #   - Gemfile.lock
48 | #   - node_modules/
49 | #   - vendor/bundle/
50 | #   - vendor/cache/
51 | #   - vendor/gems/
52 | #   - vendor/ruby/
53 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/equals_with_patch.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-fhjf-83wg-r2j9",
 4 |   "aliases": [
 5 |     "CVE-2019-10746"
 6 |   ],
 7 |   "published": "2019-08-27T17:42:33Z",
 8 |   "modified": "2021-07-27T21:26:01Z",
 9 |   "summary": "Prototype Pollution in mixin-deep",
10 |   "details": "Versions of `mixin-deep` prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The `mixinDeep` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.\n\n\n\n\n## Recommendation\n\nIf you are using `mixin-deep` 2.x, upgrade to version 2.0.1 or later.\nIf you are using `mixin-deep` 1.x, upgrade to version 1.3.2 or later.",
11 |   "references": [
12 |     {
13 |       "type": "ADVISORY",
14 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10746"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://github.com/advisories/GHSA-fhjf-83wg-r2j9"
19 |     }
20 |   ],
21 |   "affected": [
22 |     {
23 |       "package": {
24 |         "ecosystem": "npm",
25 |         "name": "mixin-deep"
26 |       },
27 |       "ranges": [
28 |         {
29 |           "type": "SEMVER",
30 |           "events": [
31 |             {
32 |               "introduced": "0"
33 |             },
34 |             {
35 |               "introduced": "2.0.0"
36 |             },
37 |             {
38 |               "fixed": "2.0.1"
39 |             },
40 |             {
41 |               "fixed": "1.3.2"
42 |             }
43 |           ]
44 |         }
45 |       ],
46 |       "versions": [],
47 |       "database_specific": {
48 |         "ghsa": "https://github.com/advisories/GHSA-fhjf-83wg-r2j9",
49 |         "cwes": [
50 |           {
51 |             "cweId": "CWE-88",
52 |             "description": "The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.",
53 |             "name": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"
54 |           }
55 |         ]
56 |       }
57 |     }
58 |   ]
59 | }
60 | 


--------------------------------------------------------------------------------
/tools/osv-linter/cmd/osv/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"log"
 5 | 	"os"
 6 | 
 7 | 	"github.com/ossf/osv-schema/linter/internal"
 8 | 	"github.com/ossf/osv-schema/linter/internal/checks"
 9 | 	"github.com/urfave/cli/v2"
10 | )
11 | 
12 | func main() {
13 | 	app := &cli.App{
14 | 		Name:  "osv",
15 | 		Usage: "OSV general purpose tool",
16 | 		Commands: []*cli.Command{
17 | 			{
18 | 				Name:  "record",
19 | 				Usage: "operations on OSV records",
20 | 				Subcommands: []*cli.Command{
21 | 					{
22 | 						Name: "lint",
23 | 						Flags: []cli.Flag{
24 | 							&cli.BoolFlag{
25 | 								Name:  "verbose",
26 | 								Usage: "verbose output",
27 | 							},
28 | 							&cli.StringFlag{
29 | 								Name:  "collection",
30 | 								Value: "ALL",
31 | 								Usage: "check collection to use (use 'list' to see)",
32 | 							},
33 | 							&cli.StringSliceFlag{
34 | 								Name:  "checks",
35 | 								Value: &cli.StringSlice{},
36 | 								Usage: "explicitly run a specific check (use 'list' to see)",
37 | 							},
38 | 							&cli.StringSliceFlag{
39 | 								Name:  "ecosystems",
40 | 								Value: &cli.StringSlice{},
41 | 								Usage: "the ecosystems to constrain package checks to (use 'list' to see)",
42 | 							},
43 | 							&cli.BoolFlag{
44 | 								Name:  "json",
45 | 								Usage: "output results as JSON",
46 | 							},
47 | 							&cli.BoolFlag{
48 | 								Name:  "new-ecosystem",
49 | 								Usage: "ignore certain checks for new ecosystems (e.g. schema pattern checks, unsupported ecosystem checks)",
50 | 							},
51 | 							&cli.IntFlag{
52 | 								Name:  "parallel",
53 | 								Usage: "how many files to process in parallel",
54 | 								Value: 1,
55 | 							},
56 | 							&cli.StringFlag{
57 | 								Name:  "schema-file",
58 | 								Usage: "path to a custom schema file to be used instead of the embedded one",
59 | 								Action: func(_ *cli.Context, s string) error {
60 | 									b, err := os.ReadFile(s)
61 | 
62 | 									if err == nil {
63 | 										checks.LoadedSchema = b
64 | 									}
65 | 
66 | 									return err
67 | 								},
68 | 							},
69 | 						},
70 | 						Aliases: []string{"check"},
71 | 						Usage:   "check OSV records for correctness",
72 | 						Action:  internal.LintCommand,
73 | 					},
74 | 				},
75 | 			},
76 | 		},
77 | 	}
78 | 
79 | 	if err := app.Run(os.Args); err != nil {
80 | 		log.Fatal(err)
81 | 	}
82 | }
83 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/equals_with_patch.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-fhjf-83wg-r2j9",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-fhjf-83wg-r2j9"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2019-10746"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10746"
14 |     },
15 |     {
16 |       "url": "https://github.com/advisories/GHSA-fhjf-83wg-r2j9"
17 |     }
18 |   ],
19 |   "description": "Versions of `mixin-deep` prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The `mixinDeep` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.\n\n\n\n\n## Recommendation\n\nIf you are using `mixin-deep` 2.x, upgrade to version 2.0.1 or later.\nIf you are using `mixin-deep` 1.x, upgrade to version 1.3.2 or later.",
20 |   "summary": "Prototype Pollution in mixin-deep",
21 |   "severity": "CRITICAL",
22 |   "cvss": {
23 |     "score": 9.8,
24 |     "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
25 |   },
26 |   "cwes": {
27 |     "nodes": [
28 |       {
29 |         "cweId": "CWE-88",
30 |         "description": "The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.",
31 |         "name": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"
32 |       }
33 |     ]
34 |   },
35 |   "permalink": "https://github.com/advisories/GHSA-fhjf-83wg-r2j9",
36 |   "publishedAt": "2019-08-27T17:42:33Z",
37 |   "updatedAt": "2021-07-27T21:26:01Z",
38 |   "withdrawnAt": null,
39 |   "vulnerabilities": {
40 |     "nodes": [
41 |       {
42 |         "package": {
43 |           "ecosystem": "NPM",
44 |           "name": "mixin-deep"
45 |         },
46 |         "firstPatchedVersion": {
47 |           "identifier": "2.0.1"
48 |         },
49 |         "vulnerableVersionRange": "= 2.0.0"
50 |       },
51 |       {
52 |         "package": {
53 |           "ecosystem": "NPM",
54 |           "name": "mixin-deep"
55 |         },
56 |         "firstPatchedVersion": {
57 |           "identifier": "1.3.2"
58 |         },
59 |         "vulnerableVersionRange": "< 1.3.2"
60 |       }
61 |     ]
62 |   }
63 | }
64 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to Contribute
 2 | 
 3 | We'd love to accept your patches and contributions to this project. There are
 4 | just a few small guidelines you need to follow.
 5 | 
 6 | ## Code of Conduct
 7 | 
 8 | This is a project of the [Open Source Security Foundation](https://github.com/ossf/) and follows its [Code of Conduct](CODE_OF_CONDUCT.md).
 9 | 
10 | ## Accepted Contributions
11 | 
12 | This repository is primarily for the OSV Schema definition([human-readable](docs/schema.md) and [JSON Schema](validation/schema.json)), and related tooling.
13 | 
14 | See the [guiding principles](GUIDING_PRINCIPLES.md) for background thinking behind the schema's design, and what is more and less likely to be acceptable in the way of changes.
15 | 
16 | For more substantial changes, we encourage you to open an issue for discussion and to also engage with the [OpenSSF Vulnerability Working Group](https://github.com/ossf/wg-vulnerability-disclosures/) about the proposed change.
17 | 
18 | ## Code Reviews
19 | 
20 | All submissions, including submissions by project members, require review. We
21 | use GitHub pull requests for this purpose. Consult
22 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
23 | information on using pull requests.
24 | 
25 | ## Adding a new ecosystem
26 | 
27 | To add a new ecosystem, follow these steps:
28 | 
29 | 1.  **`ecosystems.json`**: Add an entry for the new ecosystem and it's description.
30 |     * If your ecosystem has multiple separate release, please include how releases are specified.
31 | 
32 | 2.  **Database-specific prefix**: Generally a new ecosystem will introduce a new database-specific ID prefix (e.g., `GHSA` for GitHub Security Advisories), please add it to:
33 |     *   The "Database-specific prefixes" table in `docs/schema.md`.
34 |     *   The `prefix` pattern within `validation/schema.json`.
35 | 
36 | 3.  **`README.md`**: Add the new ecosystem to the list of data exporters in the README.
37 | 
38 | 4.  **Run update script**: Finally, run `python3 ./scripts/update-ecosystems-lists.py`. This script will automatically update the following files based on your changes to `ecosystems.json`:
39 |     *   `bindings/go/osvschema/constants.go`
40 |     *   The main ecosystem table in `docs/schema.md`
41 |     *   The ecosystem enum in `validation/schema.json`
42 |     *   Make a copy of the `validation/schema.json` for the linter in `tools/osv-linter/internal/checks/schema_generated.json`
43 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/nointroduced-CVE-2023-41045.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "id": "CVE-2023-41045",
 3 |   "severity": [
 4 |     {
 5 |       "type": "CVSS_V3",
 6 |       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
 7 |     }
 8 |   ],
 9 |   "details": "Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against recommended practice since 2008, when Dan Kaminsky discovered how easy is to carry out DNS cache poisoning attacks. In order to prevent cache poisoning with spoofed DNS responses, it is necessary to maximise the uncertainty in the choice of a source port for a DNS query. Although unlikely in many setups, an external attacker could inject forged DNS responses into a Graylog's lookup table cache. In order to prevent this, it is at least recommendable to distribute the DNS queries through a pool of distinct sockets, each of them with a random source port and renew them periodically. This issue has been addressed in versions 5.0.9 and 5.1.3. Users are advised to upgrade. There are no known workarounds for this issue.",
10 |   "affected": [
11 |     {
12 |       "ranges": [
13 |         {
14 |           "type": "GIT",
15 |           "repo": "https://github.com/graylog2/graylog2-server",
16 |           "events": [
17 |             {
18 |               "fixed": "466af814523cffae9fbc7e77bab7472988f03c3e"
19 |             },
20 |             {
21 |               "fixed": "a101f4f12180fd3dfa7d3345188a099877a3c327"
22 |             }
23 |           ]
24 |         }
25 |       ]
26 |     }
27 |   ],
28 |   "references": [
29 |     {
30 |       "type": "ADVISORY",
31 |       "url": "https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-g96c-x7rh-99r3"
32 |     },
33 |     {
34 |       "type": "EVIDENCE",
35 |       "url": "https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-g96c-x7rh-99r3"
36 |     },
37 |     {
38 |       "type": "FIX",
39 |       "url": "https://github.com/Graylog2/graylog2-server/commit/466af814523cffae9fbc7e77bab7472988f03c3e"
40 |     },
41 |     {
42 |       "type": "FIX",
43 |       "url": "https://github.com/Graylog2/graylog2-server/commit/a101f4f12180fd3dfa7d3345188a099877a3c327"
44 |     }
45 |   ],
46 |   "aliases": [
47 |     "GHSA-g96c-x7rh-99r3"
48 |   ],
49 |   "modified": "2023-09-06T20:02:28Z",
50 |   "published": "2023-08-31T18:15:09Z"
51 | }
52 | 


--------------------------------------------------------------------------------
/docs/_data/variables.yml:
--------------------------------------------------------------------------------
 1 | default:
 2 |   text_skin: default
 3 |   highlight_theme: default
 4 |   lang: en
 5 |   paths:
 6 |     root: /
 7 |     home: /
 8 |   mathjax: false
 9 |   mathjax_autoNumber: false
10 |   mermaid: false
11 |   chart: false
12 |   toc:
13 |     selectors: 'h1,h2,h3'
14 |   sources: jsdelivr
15 | 
16 |   page:
17 |     mode: normal
18 |     type: webpage
19 |     article_header:
20 |       align: left
21 |       theme: light
22 |     articles:
23 |       show_cover: true
24 |       show_excerpt: false
25 |       show_readmore: false
26 |       show_info: false
27 |     show_title: true
28 |     show_edit_on_github: true
29 |     show_date: true
30 |     show_tags: true
31 |     show_author_profile: false
32 |     show_subscribe: false
33 |     full_width: false
34 |     sharing: false
35 |     comment: true
36 |     license: false
37 |     pageview: false
38 |     search: default
39 | 
40 | sources:
41 |   jsdelivr:
42 |     font_awesome: 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/all.min.css'
43 |     jquery: 'https://cdn.jsdelivr.net/npm/jquery@3.1.1/dist/jquery.min.js'
44 |   bootcdn:
45 |     font_awesome: 'https://cdn.bootcdn.net/ajax/libs/font-awesome/5.15.1/css/all.css'
46 |     jquery: 'https://cdn.bootcss.com/jquery/3.1.1/jquery.min.js'
47 |     leancloud_js_sdk: '//cdn.jsdelivr.net/npm/leancloud-storage@3.13.2/dist/av-min.js'
48 |     chart: 'https://cdn.bootcss.com/Chart.js/2.7.2/Chart.bundle.min.js'
49 |     gitalk:
50 |       js: 'https://cdn.bootcss.com/gitalk/1.2.2/gitalk.min.js'
51 |       css: 'https://cdn.bootcss.com/gitalk/1.2.2/gitalk.min.css'
52 |     valine: 'https://unpkg.com/valine/dist/Valine.min.js' # bootcdn not available
53 |     mathjax: 'https://cdn.bootcss.com/mathjax/2.7.4/MathJax.js?config=TeX-MML-AM_CHTML'
54 |     mermaid: 'https://cdn.bootcss.com/mermaid/8.0.0-rc.8/mermaid.min.js'
55 |   unpkg:
56 |     font_awesome: 'https://use.fontawesome.com/releases/v5.15.1/css/all.css'
57 |     jquery: 'https://unpkg.com/jquery@3.3.1/dist/jquery.min.js'
58 |     leancloud_js_sdk: '//cdn.jsdelivr.net/npm/leancloud-storage@3.13.2/dist/av-min.js'
59 |     chart: 'https://unpkg.com/chart.js@2.7.2/dist/Chart.min.js'
60 |     gitalk:
61 |       js: 'https://unpkg.com/gitalk@1.2.2/dist/gitalk.min.js'
62 |       css: 'https://unpkg.com/gitalk@1.2.2/dist/gitalk.css'
63 |     valine: 'https//unpkg.com/valine/dist/Valine.min.js'
64 |     mathjax: 'https://unpkg.com/mathjax@2.7.4/unpacked/MathJax.js?config=TeX-MML-AM_CHTML'
65 |     mermaid: 'https://unpkg.com/mermaid@8.0.0-rc.8/dist/mermaid.min.js'
66 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/pkgchecker/packagist.go:
--------------------------------------------------------------------------------
 1 | package pkgchecker
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"io"
 6 | 	"net/http"
 7 | 	"net/url"
 8 | 	"strings"
 9 | 	"sync"
10 | 
11 | 	"github.com/ossf/osv-schema/linter/internal/faulttolerant"
12 | 	"github.com/tidwall/gjson"
13 | )
14 | 
15 | var packagistCache sync.Map
16 | 
17 | func fetchPackagistPackagesInfo(repo string) ([]byte, error) {
18 | 	resp, err := faulttolerant.Get(repo)
19 | 	if err != nil {
20 | 		return nil, fmt.Errorf("unable to fetch packages.json: %v", err)
21 | 	}
22 | 	defer resp.Body.Close()
23 | 	if resp.StatusCode != http.StatusOK {
24 | 		return nil, fmt.Errorf("unable to fetch packages.json: %q for %s", resp.Status, repo)
25 | 	}
26 | 
27 | 	return io.ReadAll(resp.Body)
28 | }
29 | 
30 | // fetchPackagistMetadataUrl returns the metadata-url that should be used
31 | // for the given Packagist-based repository.
32 | //
33 | // The URL will include "%package%" to indicate where the package name goes,
34 | // and be absolute.
35 | //
36 | // also see https://getcomposer.org/doc/05-repositories.md#metadata-url-available-packages-and-available-package-patterns
37 | func fetchPackagistMetadataUrlActual(repo string) (string, error) {
38 | 	packagesInfo, err := fetchPackagistPackagesInfo(repo + "/packages.json")
39 | 
40 | 	if err != nil {
41 | 		return "", err
42 | 	}
43 | 
44 | 	// todo: this field is only supported by Composer v2, and technically
45 | 	//  not the only way to provide packages
46 | 	metadataURL := gjson.GetBytes(packagesInfo, "metadata-url").String()
47 | 
48 | 	if strings.HasPrefix(metadataURL, "http") {
49 | 		return metadataURL, nil
50 | 	}
51 | 
52 | 	parsed, err := url.Parse(repo)
53 | 
54 | 	if err != nil {
55 | 		return "", err
56 | 	}
57 | 
58 | 	return fmt.Sprintf("%s://%s%s", parsed.Scheme, parsed.Host, metadataURL), nil
59 | }
60 | 
61 | func fetchPackagistMetadataUrl(repo string) (string, error) {
62 | 	cached, ok := packagistCache.Load(repo)
63 | 
64 | 	if !ok {
65 | 		metadataURL, err := fetchPackagistMetadataUrlActual(repo)
66 | 
67 | 		if err != nil {
68 | 			return "", err
69 | 		}
70 | 
71 | 		cached, _ = packagistCache.LoadOrStore(repo, metadataURL)
72 | 	}
73 | 
74 | 	return cached.(string), nil
75 | }
76 | 
77 | func resolvePackagistPackageInstanceURL(pkg string, repo string) (string, error) {
78 | 	if repo == "" {
79 | 		repo = "https://packagist.org"
80 | 	}
81 | 
82 | 	metadataURL, err := fetchPackagistMetadataUrl(repo)
83 | 
84 | 	if err != nil {
85 | 		return "", err
86 | 	}
87 | 
88 | 	return strings.ReplaceAll(metadataURL, "%package%", pkg), nil
89 | }
90 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/CVE-2023-41045.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "id": "CVE-2023-41045",
 3 |   "severity": [
 4 |     {
 5 |       "type": "CVSS_V3",
 6 |       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
 7 |     }
 8 |   ],
 9 |   "details": "Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against recommended practice since 2008, when Dan Kaminsky discovered how easy is to carry out DNS cache poisoning attacks. In order to prevent cache poisoning with spoofed DNS responses, it is necessary to maximise the uncertainty in the choice of a source port for a DNS query. Although unlikely in many setups, an external attacker could inject forged DNS responses into a Graylog's lookup table cache. In order to prevent this, it is at least recommendable to distribute the DNS queries through a pool of distinct sockets, each of them with a random source port and renew them periodically. This issue has been addressed in versions 5.0.9 and 5.1.3. Users are advised to upgrade. There are no known workarounds for this issue.",
10 |   "affected": [
11 |     {
12 |       "ranges": [
13 |         {
14 |           "type": "GIT",
15 |           "repo": "https://github.com/graylog2/graylog2-server",
16 |           "events": [
17 |             {
18 |               "introduced": "0"
19 |             },
20 |             {
21 |               "fixed": "466af814523cffae9fbc7e77bab7472988f03c3e"
22 |             },
23 |             {
24 |               "fixed": "a101f4f12180fd3dfa7d3345188a099877a3c327"
25 |             }
26 |           ]
27 |         }
28 |       ]
29 |     }
30 |   ],
31 |   "references": [
32 |     {
33 |       "type": "ADVISORY",
34 |       "url": "https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-g96c-x7rh-99r3"
35 |     },
36 |     {
37 |       "type": "EVIDENCE",
38 |       "url": "https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-g96c-x7rh-99r3"
39 |     },
40 |     {
41 |       "type": "FIX",
42 |       "url": "https://github.com/Graylog2/graylog2-server/commit/466af814523cffae9fbc7e77bab7472988f03c3e"
43 |     },
44 |     {
45 |       "type": "FIX",
46 |       "url": "https://github.com/Graylog2/graylog2-server/commit/a101f4f12180fd3dfa7d3345188a099877a3c327"
47 |     }
48 |   ],
49 |   "aliases": [
50 |     "GHSA-g96c-x7rh-99r3"
51 |   ],
52 |   "modified": "2023-09-06T20:02:28Z",
53 |   "published": "2023-08-31T18:15:09Z"
54 | }
55 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/maven_greater_than.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-76mp-659p-rw65",
 4 |   "aliases": [
 5 |     "CVE-2021-32620"
 6 |   ],
 7 |   "published": "2021-05-18T18:36:21Z",
 8 |   "modified": "2021-06-08T17:00:19Z",
 9 |   "summary": "Users registered with email verification can self re-activate their disabled accounts",
10 |   "details": "### Impact\nA user disabled on a wiki using email verification for registration can re-activate himself by using the activation link provided for his registration. \n\n### Patches\nThe problem has been patched in the following versions of XWiki: 11.10.13,  12.6.7, 12.10.2, 13.0.\n\n### Workarounds\nIt's possible to workaround the issue by resetting the `validkey` property of the disabled XWiki users. This can be done by editing the user profile with object editor.\n\n### References\nhttps://jira.xwiki.org/browse/XWIKI-17942\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira](http://jira.xwiki.org)\n* Email us at [Security mailing-list](mailto:security@xwiki.org)\n",
11 |   "references": [
12 |     {
13 |       "type": "WEB",
14 |       "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-76mp-659p-rw65"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32620"
19 |     },
20 |     {
21 |       "type": "ADVISORY",
22 |       "url": "https://github.com/advisories/GHSA-76mp-659p-rw65"
23 |     }
24 |   ],
25 |   "affected": [
26 |     {
27 |       "package": {
28 |         "ecosystem": "Maven",
29 |         "name": "org.xwiki.commons:xwiki-commons-core"
30 |       },
31 |       "ranges": [
32 |         {
33 |           "type": "ECOSYSTEM",
34 |           "events": [
35 |             {
36 |               "introduced": "12.10.0"
37 |             },
38 |             {
39 |               "fixed": "12.10.2"
40 |             },
41 |             {
42 |               "introduced": "12.0"
43 |             },
44 |             {
45 |               "fixed": "12.6.7"
46 |             },
47 |             {
48 |               "introduced": "11.6.1"
49 |             },
50 |             {
51 |               "fixed": "11.10.13"
52 |             }
53 |           ]
54 |         }
55 |       ],
56 |       "versions": [],
57 |       "database_specific": {
58 |         "ghsa": "https://github.com/advisories/GHSA-76mp-659p-rw65",
59 |         "cwes": [
60 |           {
61 |             "cweId": "CWE-285",
62 |             "description": "The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.",
63 |             "name": "Improper Authorization"
64 |           }
65 |         ]
66 |       }
67 |     }
68 |   ]
69 | }
70 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/full_ranges.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-mr95-9rr4-668f",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-mr95-9rr4-668f"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2018-16115"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16115"
14 |     },
15 |     {
16 |       "url": "https://github.com/advisories/GHSA-mr95-9rr4-668f"
17 |     }
18 |   ],
19 |   "description": "Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. The custom RNG implementations were not configured by default but examples in the documentation showed (and therefore implicitly recommended) using the custom ones. This can be used by an attacker to compromise the communication if these random number generators are enabled in configuration. It would be possible to eavesdrop, replay, or modify the messages sent with Akka Remoting/Cluster.",
20 |   "summary": "High severity vulnerability that affects com.typesafe.akka:akka-actor_2.11 and com.typesafe.akka:akka-actor_2.12",
21 |   "severity": "CRITICAL",
22 |   "cvss": {
23 |     "score": 9.1,
24 |     "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
25 |   },
26 |   "cwes": {
27 |     "nodes": [
28 |       {
29 |         "cweId": "CWE-338",
30 |         "description": "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
31 |         "name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
32 |       }
33 |     ]
34 |   },
35 |   "permalink": "https://github.com/advisories/GHSA-mr95-9rr4-668f",
36 |   "publishedAt": "2018-10-22T20:44:26Z",
37 |   "updatedAt": "2021-09-15T20:58:47Z",
38 |   "withdrawnAt": null,
39 |   "vulnerabilities": {
40 |     "nodes": [
41 |       {
42 |         "package": {
43 |           "ecosystem": "MAVEN",
44 |           "name": "com.typesafe.akka:akka-actor_2.12"
45 |         },
46 |         "firstPatchedVersion": {
47 |           "identifier": "2.5.16"
48 |         },
49 |         "vulnerableVersionRange": ">= 2.5.0, < 2.5.16"
50 |       },
51 |       {
52 |         "package": {
53 |           "ecosystem": "MAVEN",
54 |           "name": "com.typesafe.akka:akka-actor_2.11"
55 |         },
56 |         "firstPatchedVersion": {
57 |           "identifier": "2.5.16"
58 |         },
59 |         "vulnerableVersionRange": ">= 2.5.0, < 2.5.16"
60 |       }
61 |     ]
62 |   }
63 | }
64 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | # Change Log
 2 | 
 3 | - 2021-03-29 added "withdrawn" field
 4 | - 2021-04-07 changed "details" to Markdown, change "references" to a list of
 5 |   objects with a new "type" field in addition to the URL.
 6 | - 2021-04-23 handful of changes, see Status - 2021-04-23 below for details. Corrected examples.
 7 | - 2021-04-26 changed `database-specific` and `ecosystem-specific` to
 8 |   `database_specific` and `ecosystem_specific` for easier access from languages
 9 |   that access JSON field keys using x.field notation.
10 | - 2021-06-08 Added "purl" to the "package" field and some minor clarifications.
11 | - 2021-06-30 Fixed an incorrect/typoed specification for "affects" from an array
12 |   of objects to an object.
13 | - 2021-08-17 Support multiple packages per entry by moving `packages`,
14 |   `ecosystem_specific` and `database_specific` into `affected`. The `affected`
15 |   field is intentionally named differently to the previous `affects` field to
16 |   make migration easier. Also use "events" containing single versions to
17 |   represent affected version ranges instead.
18 | - 2021-09-08 Promoted schema to 1.0.
19 | - 2022-01-19 Released version 1.2.0. Includes various changes suggested by
20 |   GitHub (`schema_version`, top-level `database_specific`, `credits`,
21 |   `severity`, relaxation of version enumeration requirement).
22 | - 2022-03-24 Released version 1.3.0. Added `last_affected` event type and
23 |   `database_specific` to `affected[].ranges[]`.
24 |   Context: https://github.com/ossf/osv-schema/issues/35.
25 | - 2023-02-21 Released version 1.4.0. Added per package `severity` and
26 |   credit types.
27 | - 2023-04-26 Released version 1.5.0. Added new reference types.
28 | - 2023-08-11 Released version 1.6.0. Several new databases and clarified
29 |   definitions of `aliases` and `related`.
30 | - 2023-11-29 Released version 1.6.1. Some cleanup of the schema layout.
31 | - 2024-01-16 Released version 1.6.2. Added CVSS_V4 and Ubuntu ecosystem.
32 | - 2024-04-05 Released version 1.6.3. Added Maven registry support.
33 | - 2024-08-21 Released version 1.6.4. Some clarifications for existing fields
34 |   (`aliases`, `affected[].versions[]`), ecosystems (`Android`), and addition of
35 |   new ecosystems (Mageia, Chainguard).
36 | - 2024-09-03 Released version 1.6.5. Added SuSE ecosystems and ELA, UBUNTU ID
37 |   prefixes.
38 | - 2024-09-12 Released version 1.6.6. Add RHBA, RHEA, SUSE-OU prefixes.
39 | - 2024-09-16 Released version 1.6.7. JSON schema and minor text formatting changes.
40 | - 2025-03-05 Released version 1.7.0. Add `upstream` field, `V8-` ID prefix,
41 |   Kubernetes ecosystem, `Ubuntu` severity type.
42 | - 2025-08-05 Released version 1.7.2. Add new ecosystems (openEuler, MinimOS, BellSoft Alpaquita and Hardened Containers, Ubuntu LSN).
43 | - 2025-08-15 Released version 1.7.3. Add Echo ecosystem.
44 | - 2025-10-27 Released version 1.7.4. Add the following prefixes: EFF (Erlang), JLSEC (Julia), ALPINE-, DEBIAN-.
45 | 


--------------------------------------------------------------------------------
/bindings/go/osvconstants/constants.go:
--------------------------------------------------------------------------------
 1 | // Code generated by scripts/update-ecosystems-lists.py. DO NOT EDIT.
 2 | package osvconstants
 3 | 
 4 | const SchemaVersion = "1.7.3"
 5 | 
 6 | type Ecosystem string
 7 | 
 8 | const (
 9 | 	EcosystemAlmaLinux                  Ecosystem = "AlmaLinux"
10 | 	EcosystemAlpaquita                  Ecosystem = "Alpaquita"
11 | 	EcosystemAlpine                     Ecosystem = "Alpine"
12 | 	EcosystemAndroid                    Ecosystem = "Android"
13 | 	EcosystemBellSoftHardenedContainers Ecosystem = "BellSoft Hardened Containers"
14 | 	EcosystemBioconductor               Ecosystem = "Bioconductor"
15 | 	EcosystemBitnami                    Ecosystem = "Bitnami"
16 | 	EcosystemChainguard                 Ecosystem = "Chainguard"
17 | 	EcosystemCleanStart                 Ecosystem = "CleanStart"
18 | 	EcosystemConanCenter                Ecosystem = "ConanCenter"
19 | 	EcosystemCRAN                       Ecosystem = "CRAN"
20 | 	EcosystemCratesIO                   Ecosystem = "crates.io"
21 | 	EcosystemDebian                     Ecosystem = "Debian"
22 | 	EcosystemDockerHardenedImages       Ecosystem = "Docker Hardened Images"
23 | 	EcosystemEcho                       Ecosystem = "Echo"
24 | 	EcosystemFreeBSD                    Ecosystem = "FreeBSD"
25 | 	EcosystemGHC                        Ecosystem = "GHC"
26 | 	EcosystemGitHubActions              Ecosystem = "GitHub Actions"
27 | 	EcosystemGo                         Ecosystem = "Go"
28 | 	EcosystemHackage                    Ecosystem = "Hackage"
29 | 	EcosystemHex                        Ecosystem = "Hex"
30 | 	EcosystemJulia                      Ecosystem = "Julia"
31 | 	EcosystemKubernetes                 Ecosystem = "Kubernetes"
32 | 	EcosystemLinux                      Ecosystem = "Linux"
33 | 	EcosystemMageia                     Ecosystem = "Mageia"
34 | 	EcosystemMaven                      Ecosystem = "Maven"
35 | 	EcosystemMinimOS                    Ecosystem = "MinimOS"
36 | 	EcosystemNPM                        Ecosystem = "npm"
37 | 	EcosystemNuGet                      Ecosystem = "NuGet"
38 | 	EcosystemOpam                       Ecosystem = "opam"
39 | 	EcosystemOpenEuler                  Ecosystem = "openEuler"
40 | 	EcosystemOpenSUSE                   Ecosystem = "openSUSE"
41 | 	EcosystemOSSFuzz                    Ecosystem = "OSS-Fuzz"
42 | 	EcosystemPackagist                  Ecosystem = "Packagist"
43 | 	EcosystemPhotonOS                   Ecosystem = "Photon OS"
44 | 	EcosystemPub                        Ecosystem = "Pub"
45 | 	EcosystemPyPI                       Ecosystem = "PyPI"
46 | 	EcosystemRedHat                     Ecosystem = "Red Hat"
47 | 	EcosystemRockyLinux                 Ecosystem = "Rocky Linux"
48 | 	EcosystemRubyGems                   Ecosystem = "RubyGems"
49 | 	EcosystemSUSE                       Ecosystem = "SUSE"
50 | 	EcosystemSwiftURL                   Ecosystem = "SwiftURL"
51 | 	EcosystemUbuntu                     Ecosystem = "Ubuntu"
52 | 	EcosystemVSCode                     Ecosystem = "VSCode"
53 | 	EcosystemWolfi                      Ecosystem = "Wolfi"
54 | )
55 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/maven_greater_than.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-76mp-659p-rw65",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-76mp-659p-rw65"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2021-32620"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-76mp-659p-rw65"
14 |     },
15 |     {
16 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32620"
17 |     },
18 |     {
19 |       "url": "https://github.com/advisories/GHSA-76mp-659p-rw65"
20 |     }
21 |   ],
22 |   "description": "### Impact\nA user disabled on a wiki using email verification for registration can re-activate himself by using the activation link provided for his registration. \n\n### Patches\nThe problem has been patched in the following versions of XWiki: 11.10.13,  12.6.7, 12.10.2, 13.0.\n\n### Workarounds\nIt's possible to workaround the issue by resetting the `validkey` property of the disabled XWiki users. This can be done by editing the user profile with object editor.\n\n### References\nhttps://jira.xwiki.org/browse/XWIKI-17942\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira](http://jira.xwiki.org)\n* Email us at [Security mailing-list](mailto:security@xwiki.org)\n",
23 |   "summary": "Users registered with email verification can self re-activate their disabled accounts",
24 |   "severity": "HIGH",
25 |   "cvss": {
26 |     "score": 8.8,
27 |     "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
28 |   },
29 |   "cwes": {
30 |     "nodes": [
31 |       {
32 |         "cweId": "CWE-285",
33 |         "description": "The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.",
34 |         "name": "Improper Authorization"
35 |       }
36 |     ]
37 |   },
38 |   "permalink": "https://github.com/advisories/GHSA-76mp-659p-rw65",
39 |   "publishedAt": "2021-05-18T18:36:21Z",
40 |   "updatedAt": "2021-06-08T17:00:19Z",
41 |   "withdrawnAt": null,
42 |   "vulnerabilities": {
43 |     "nodes": [
44 |       {
45 |         "package": {
46 |           "ecosystem": "MAVEN",
47 |           "name": "org.xwiki.commons:xwiki-commons-core"
48 |         },
49 |         "firstPatchedVersion": {
50 |           "identifier": "12.10.2"
51 |         },
52 |         "vulnerableVersionRange": ">= 12.10.0, < 12.10.2"
53 |       },
54 |       {
55 |         "package": {
56 |           "ecosystem": "MAVEN",
57 |           "name": "org.xwiki.commons:xwiki-commons-core"
58 |         },
59 |         "firstPatchedVersion": {
60 |           "identifier": "12.6.7"
61 |         },
62 |         "vulnerableVersionRange": ">= 12.0, < 12.6.7"
63 |       },
64 |       {
65 |         "package": {
66 |           "ecosystem": "MAVEN",
67 |           "name": "org.xwiki.commons:xwiki-commons-core"
68 |         },
69 |         "firstPatchedVersion": {
70 |           "identifier": "11.10.13"
71 |         },
72 |         "vulnerableVersionRange": "> 11.6, < 11.10.13"
73 |       }
74 |     ]
75 |   }
76 | }
77 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/pypi_normalize.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ghsaId": "GHSA-p44j-xrqg-4xrr",
 3 |   "identifiers": [
 4 |     {
 5 |       "value": "GHSA-p44j-xrqg-4xrr"
 6 |     },
 7 |     {
 8 |       "value": "CVE-2021-21337"
 9 |     }
10 |   ],
11 |   "references": [
12 |     {
13 |       "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr"
14 |     },
15 |     {
16 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21337"
17 |     },
18 |     {
19 |       "url": "https://github.com/advisories/GHSA-p44j-xrqg-4xrr"
20 |     }
21 |   ],
22 |   "description": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nOpen redirect vulnerability - a maliciously crafted link to the login form and login functionality could redirect the browser to a different website.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1`  and re-run the buildout, or if you used `pip` simply do `pip install \"Products.PluggableAuthService>=2.6.1\"`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere is no workaround. Users are encouraged to upgrade.\n\n### References\n_Are there any links users can visit to find out more?_\n\n- [GHSA-p44j-xrqg-4xrr](https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr)\n- [Products.PluggableAuthService on PyPI](https://pypi.org/project/Products.PluggableAuthService/)\n- [OWASP page on open redirects](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [Products.PluggableAuthService issue tracker](https://github.com/zopefoundation/Products.PluggableAuthService/issues)\n* Email us at [security@plone.org](mailto:security@plone.org)",
23 |   "summary": "URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService",
24 |   "severity": "LOW",
25 |   "cvss": {
26 |     "score": 0,
27 |     "vectorString": null
28 |   },
29 |   "cwes": {
30 |     "nodes": [
31 |       {
32 |         "cweId": "CWE-601",
33 |         "description": "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.",
34 |         "name": "URL Redirection to Untrusted Site ('Open Redirect')"
35 |       }
36 |     ]
37 |   },
38 |   "permalink": "https://github.com/advisories/GHSA-p44j-xrqg-4xrr",
39 |   "publishedAt": "2021-03-08T21:06:23Z",
40 |   "updatedAt": "2021-06-03T13:49:55Z",
41 |   "withdrawnAt": null,
42 |   "vulnerabilities": {
43 |     "nodes": [
44 |       {
45 |         "package": {
46 |           "ecosystem": "PIP",
47 |           "name": "Products.PluggableAuthService"
48 |         },
49 |         "firstPatchedVersion": {
50 |           "identifier": "2.6.1"
51 |         },
52 |         "vulnerableVersionRange": "< 2.6.1"
53 |       }
54 |     ]
55 |   }
56 | }
57 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/pypi_normalize.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-p44j-xrqg-4xrr",
 4 |   "aliases": [
 5 |     "CVE-2021-21337"
 6 |   ],
 7 |   "published": "2021-03-08T21:06:23Z",
 8 |   "modified": "2021-06-03T13:49:55Z",
 9 |   "summary": "URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService",
10 |   "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nOpen redirect vulnerability - a maliciously crafted link to the login form and login functionality could redirect the browser to a different website.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1`  and re-run the buildout, or if you used `pip` simply do `pip install \"Products.PluggableAuthService>=2.6.1\"`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThere is no workaround. Users are encouraged to upgrade.\n\n### References\n_Are there any links users can visit to find out more?_\n\n- [GHSA-p44j-xrqg-4xrr](https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr)\n- [Products.PluggableAuthService on PyPI](https://pypi.org/project/Products.PluggableAuthService/)\n- [OWASP page on open redirects](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [Products.PluggableAuthService issue tracker](https://github.com/zopefoundation/Products.PluggableAuthService/issues)\n* Email us at [security@plone.org](mailto:security@plone.org)",
11 |   "references": [
12 |     {
13 |       "type": "WEB",
14 |       "url": "https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21337"
19 |     },
20 |     {
21 |       "type": "ADVISORY",
22 |       "url": "https://github.com/advisories/GHSA-p44j-xrqg-4xrr"
23 |     }
24 |   ],
25 |   "affected": [
26 |     {
27 |       "package": {
28 |         "ecosystem": "PyPI",
29 |         "name": "products-pluggableauthservice"
30 |       },
31 |       "ranges": [
32 |         {
33 |           "type": "ECOSYSTEM",
34 |           "events": [
35 |             {
36 |               "introduced": "0"
37 |             },
38 |             {
39 |               "fixed": "2.6.1"
40 |             }
41 |           ]
42 |         }
43 |       ],
44 |       "versions": [],
45 |       "database_specific": {
46 |         "ghsa": "https://github.com/advisories/GHSA-p44j-xrqg-4xrr",
47 |         "cwes": [
48 |           {
49 |             "cweId": "CWE-601",
50 |             "description": "A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.",
51 |             "name": "URL Redirection to Untrusted Site ('Open Redirect')"
52 |           }
53 |         ]
54 |       }
55 |     }
56 |   ]
57 | }
58 | 


--------------------------------------------------------------------------------
/tools/ghsa/convert_ghsa_test.py:
--------------------------------------------------------------------------------
 1 | # Copyright 2021 OSV Schema Authors
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #      http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | """Tests for the GHSA to OSV converter."""
15 | 
16 | import json
17 | import os
18 | import unittest
19 | 
20 | import convert_ghsa
21 | 
22 | TEST_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'testdata')
23 | 
24 | class ConverterTest(unittest.TestCase):
25 |     """Converter unit tests."""
26 | 
27 |     def setUp(self):
28 |         self.maxDiff = None  # pylint: disable=invalid-name
29 | 
30 |     def check_conversion(self, name):
31 |         """Check OSV conversation against the expected result."""
32 |         with open(os.path.join(TEST_DIR, f'{name}.json')) as handle:
33 |             input_data = json.load(handle)
34 | 
35 |         output = convert_ghsa.convert(input_data)
36 | 
37 |         expected_path = os.path.join(TEST_DIR, f'{name}.osv.json')
38 |         if os.getenv('TESTS_GENERATE'):
39 |             with open(expected_path, 'w') as handle:
40 |                 handle.write(json.dumps(output, indent=2))
41 | 
42 |         with open(expected_path) as handle:
43 |             expected = json.load(handle)
44 | 
45 |         self.assertDictEqual(expected, output)
46 | 
47 |     def test_full_ranges(self):
48 |         """Test full (>= X, < Y) ranges."""
49 |         self.check_conversion('full_ranges')
50 | 
51 |     def test_greater_than_equals_no_patch(self):
52 |         """Test >=X without a patch."""
53 |         self.check_conversion('greater_than_equals_no_patch')
54 | 
55 |     def test_multiple_ranges_in_package(self):
56 |         """Test multiple ranges in the same package."""
57 |         self.check_conversion('multiple_ranges_in_package')
58 | 
59 |     def test_less_than_equals_no_patch(self):
60 |         """Test less than equals with no patch."""
61 |         self.check_conversion('less_than_equals_no_patch')
62 | 
63 |     def test_less_than_equals_with_patch(self):
64 |         """Test less than equals with patch."""
65 |         self.check_conversion('less_than_equals_with_patch')
66 | 
67 |     def test_equals_no_patch(self):
68 |         """Test =X versions with no patch."""
69 |         self.check_conversion('equals_no_patch')
70 | 
71 |     def test_equals_with_patch(self):
72 |         """Test =X versions with a patch."""
73 |         self.check_conversion('equals_with_patch')
74 | 
75 |     def test_withdrawn(self):
76 |         """Test a withdrawn entry."""
77 |         self.check_conversion('withdrawn')
78 | 
79 |     def test_pypi_normalize(self):
80 |         """Test normalization PyPI names."""
81 |         self.check_conversion('pypi_normalize')
82 | 
83 |     def test_maven_greater_than(self):
84 |         """Test Maven > ranges."""
85 |         self.check_conversion('maven_greater_than')
86 | 
87 |     def test_maven_greater_than(self):
88 |         """Test npm > ranges."""
89 |         self.check_conversion('npm_greater_than')
90 | 


--------------------------------------------------------------------------------
/tools/ghsa/testdata/full_ranges.osv.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "schema_version": "1.5.0",
 3 |   "id": "GHSA-mr95-9rr4-668f",
 4 |   "aliases": [
 5 |     "CVE-2018-16115"
 6 |   ],
 7 |   "published": "2018-10-22T20:44:26Z",
 8 |   "modified": "2021-09-15T20:58:47Z",
 9 |   "summary": "High severity vulnerability that affects com.typesafe.akka:akka-actor_2.11 and com.typesafe.akka:akka-actor_2.12",
10 |   "details": "Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. The custom RNG implementations were not configured by default but examples in the documentation showed (and therefore implicitly recommended) using the custom ones. This can be used by an attacker to compromise the communication if these random number generators are enabled in configuration. It would be possible to eavesdrop, replay, or modify the messages sent with Akka Remoting/Cluster.",
11 |   "references": [
12 |     {
13 |       "type": "ADVISORY",
14 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16115"
15 |     },
16 |     {
17 |       "type": "ADVISORY",
18 |       "url": "https://github.com/advisories/GHSA-mr95-9rr4-668f"
19 |     }
20 |   ],
21 |   "affected": [
22 |     {
23 |       "package": {
24 |         "ecosystem": "Maven",
25 |         "name": "com.typesafe.akka:akka-actor_2.12"
26 |       },
27 |       "ranges": [
28 |         {
29 |           "type": "ECOSYSTEM",
30 |           "events": [
31 |             {
32 |               "introduced": "2.5.0"
33 |             },
34 |             {
35 |               "fixed": "2.5.16"
36 |             }
37 |           ]
38 |         }
39 |       ],
40 |       "versions": [],
41 |       "database_specific": {
42 |         "ghsa": "https://github.com/advisories/GHSA-mr95-9rr4-668f",
43 |         "cwes": [
44 |           {
45 |             "cweId": "CWE-338",
46 |             "description": "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
47 |             "name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
48 |           }
49 |         ]
50 |       }
51 |     },
52 |     {
53 |       "package": {
54 |         "ecosystem": "Maven",
55 |         "name": "com.typesafe.akka:akka-actor_2.11"
56 |       },
57 |       "ranges": [
58 |         {
59 |           "type": "ECOSYSTEM",
60 |           "events": [
61 |             {
62 |               "introduced": "2.5.0"
63 |             },
64 |             {
65 |               "fixed": "2.5.16"
66 |             }
67 |           ]
68 |         }
69 |       ],
70 |       "versions": [],
71 |       "database_specific": {
72 |         "ghsa": "https://github.com/advisories/GHSA-mr95-9rr4-668f",
73 |         "cwes": [
74 |           {
75 |             "cweId": "CWE-338",
76 |             "description": "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
77 |             "name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
78 |           }
79 |         ]
80 |       }
81 |     }
82 |   ]
83 | }
84 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/checks/ranges.go:
--------------------------------------------------------------------------------
 1 | package checks
 2 | 
 3 | import (
 4 | 	"fmt"
 5 | 	"slices"
 6 | 
 7 | 	"github.com/tidwall/gjson"
 8 | )
 9 | 
10 | var CheckRangeHasIntroducedEvent = &CheckDef{
11 | 	Code:        "RNG:001",
12 | 	Name:        "introduced-event-exists",
13 | 	Description: "every range has an introduced event",
14 | 	Check:       RangeHasIntroducedEvent,
15 | }
16 | 
17 | // RangeHasIntroducedEvent checks for missing 'introduced' objects in events.
18 | func RangeHasIntroducedEvent(json *gjson.Result, config *Config) (findings []CheckError) {
19 | 	// It is valid to not have any ranges.
20 | 	ranges := json.Get("affected.#(ranges)")
21 | 	if !ranges.Exists() {
22 | 		return nil
23 | 	}
24 | 
25 | 	result := json.Get("affected.#(ranges.#(events.#(introduced)))")
26 | 
27 | 	if !result.Exists() {
28 | 		findings = append(findings, CheckError{Message: "missing 'introduced' object in event"})
29 | 		return findings
30 | 	}
31 | 
32 | 	return nil
33 | }
34 | 
35 | var CheckRangeIsDistinct = &CheckDef{
36 | 	Code:        "RNG:002",
37 | 	Name:        "range-is-distinct",
38 | 	Description: "range spans multiple versions/commits",
39 | 	Check:       RangeIsDistinct,
40 | }
41 | 
42 | // RangeIsDistinct checks that the introduced and fixed (or last_affected) values differ.
43 | // (on a per-repo basis for GIT ranges, and on a per-package basis otherwise)
44 | func RangeIsDistinct(json *gjson.Result, config *Config) (findings []CheckError) {
45 | 	affectedEntries := json.Get("affected")
46 | 
47 | 	// Examine each entry:
48 | 	// for ones for packages, on a per-package basis
49 | 	// for GIT ranges, on a per-repo basis
50 | 	affectedEntries.ForEach(func(key, value gjson.Result) bool {
51 | 		// If it has a package field, it's for a package, otherwise confirm the range is of type GIT.
52 | 		maybePackage := value.Get("package")
53 | 		ranges := value.Get("ranges")
54 | 		var pkg bool
55 | 		if maybePackage.Exists() {
56 | 			pkg = true
57 | 		}
58 | 		ranges.ForEach(func(key, value gjson.Result) bool {
59 | 			rangeType := value.Get("type").String()
60 | 			if !pkg && rangeType != "GIT" {
61 | 				findings = append(findings, CheckError{Message: fmt.Sprintf("unexpected range type %q for %s", rangeType, value.String())})
62 | 			}
63 | 			// Examine the events, collect all of the range starting values and range ending values (fixed and last_affected).
64 | 			// There must be no overlap between these two sets of values.
65 | 			events := value.Get("events")
66 | 			var startEvents []string
67 | 			var endEvents []string
68 | 			events.ForEach(func(key, value gjson.Result) bool {
69 | 				// Collect all the introduced values.
70 | 				result := value.Get("introduced")
71 | 				if result.Exists() {
72 | 					startEvents = append(startEvents, result.String())
73 | 				}
74 | 				// Collect all the fixed
75 | 				// last_affected can be the same version as introduced
76 | 				result = value.Get("fixed")
77 | 				if result.Exists() {
78 | 					endEvents = append(endEvents, result.String())
79 | 				}
80 | 				return true // keep iterating (over events)
81 | 			})
82 | 			// Check for overlap between collected start events and end events.
83 | 			for _, endEvent := range endEvents {
84 | 				if slices.Contains(startEvents, endEvent) {
85 | 					findings = append(findings, CheckError{Message: fmt.Sprintf("overlapping event: %q", endEvent)})
86 | 				}
87 | 			}
88 | 			return true // keep iterating (over ranges)
89 | 		})
90 | 		return true // keep iterating (over affected entries)
91 | 	})
92 | 	return findings
93 | }
94 | 


--------------------------------------------------------------------------------
/tools/ghsa/dump_ghsa.py:
--------------------------------------------------------------------------------
  1 | # Copyright 2021 OSV Schema Authors
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | #
  7 | #      http://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | """GHSA to JSON dumper."""
 15 | import argparse
 16 | import json
 17 | import os
 18 | 
 19 | import requests
 20 | 
 21 | _BASE_QUERY = """
 22 | {
 23 |   securityAdvisories(first: 100 %(query)s %(cursor)s) {
 24 |     edges { cursor
 25 |       node {
 26 |         ghsaId
 27 |         identifiers {
 28 |           value
 29 |         }
 30 |         references {
 31 |           url
 32 |         }
 33 |         description
 34 |         summary
 35 |         severity
 36 |         cvss {
 37 |           score
 38 |           vectorString
 39 |         }
 40 |         cwes(first: 32) {
 41 |           nodes {
 42 |             cweId
 43 |             description
 44 |             name
 45 |           }
 46 |         }
 47 |         permalink
 48 |         publishedAt
 49 |         updatedAt
 50 |         withdrawnAt
 51 |         vulnerabilities(first: 32) {
 52 |           nodes {
 53 |             package {
 54 |               ecosystem
 55 |               name
 56 |             }
 57 |             firstPatchedVersion {
 58 |               identifier
 59 |             }
 60 |             vulnerableVersionRange
 61 |           }
 62 |         }
 63 |       }
 64 |     }
 65 |     pageInfo {
 66 |       hasNextPage
 67 |     }
 68 |   }
 69 | }
 70 | """
 71 | 
 72 | 
 73 | def run_graphql(query: str, token: str):
 74 |     """Runs a GraphQL query."""
 75 |     response = requests.post(
 76 |         'https://api.github.com/graphql',
 77 |         json={'query': query},
 78 |         headers={'Authorization': 'Bearer ' + token})
 79 |     response.raise_for_status()
 80 |     return response.json()
 81 | 
 82 | 
 83 | def dump(out_dir: str, token: str, query: str):
 84 |     """Dumps advisories."""
 85 |     count = 0
 86 |     cursor_arg = ''
 87 | 
 88 |     while True:
 89 |         result = run_graphql(_BASE_QUERY % {'cursor':cursor_arg, 'query':query}, token)
 90 | 
 91 |         if 'data' not in result:
 92 |             print('Got invalid response', result)
 93 |             raise Exception('Invalid response')
 94 | 
 95 |         for edge in result['data']['securityAdvisories']['edges']:
 96 |             node = edge['node']
 97 |             with open(os.path.join(out_dir, node['ghsaId'] + '.json'),
 98 |                       'w') as handle:
 99 |                 handle.write(json.dumps(node))
100 | 
101 |             count += 1
102 |             if count % 500 == 0:
103 |                 print(f'Up to {count} advisories.')
104 | 
105 |             cursor = edge['cursor']
106 |             cursor_arg = f'after: "{cursor}"'
107 | 
108 |         if not result['data']['securityAdvisories']['pageInfo'].get(
109 |                 'hasNextPage'):
110 |             break
111 | 
112 |     print(f'Dumped {count} advisories.')
113 | 
114 | 
115 | def main():
116 |     """Main function."""
117 |     parser = argparse.ArgumentParser(description='GHSA dumper.')
118 |     parser.add_argument('--token', help='GitHub API token', required=True)
119 |     parser.add_argument('--query', help='GitHub Security Advisory Query')
120 |     parser.add_argument('out_dir', help='Output directory')
121 | 
122 |     args = parser.parse_args()
123 |     dump(args.out_dir, args.token, args.query)
124 | 
125 | 
126 | if __name__ == '__main__':
127 |     main()
128 | 


--------------------------------------------------------------------------------
/tools/redhat/README.md:
--------------------------------------------------------------------------------
 1 | # Red Hat CSAF to OSV Converter
 2 | 
 3 | ## Setup
 4 | 
 5 | This tool is installable via Pip using a git reference such as:
 6 | 
 7 | ~~~
 8 | redhat-osv @ git+https://github.com/ossf/osv-schema@0cef5d4#egg=redhat_osv&subdirectory=tools/redhat
 9 | ~~~
10 | 
11 | Dependency management is therefore split between `setup.py` and `Pipenv`. Runtime dependencies are declared in 
12 | `setup.py` and installable by installing the project into a pipenv environment:
13 | 
14 | ~~~
15 | $ pipenv install -e .
16 | ~~~
17 | 
18 | ## Usage
19 | 
20 | Needs to be run in a folder where the Red Hat CSAF documents to convert already exist. Files can be downloaded the [Red Hat Customer Portal Security Data section](https://access.redhat.com/security/data/csaf/v2/advisories/)
21 | ~~~
22 | $ pipenv run python3 convert_redhat.py testdata/rhsa-2024_4546.json
23 | ~~~
24 | 
25 | OSV documents will be output in the `osv` directory by default. Override the default with the `--output_directory` option.
26 | 
27 | ## Running Tests
28 | 
29 | Run the tests like so:
30 | 
31 | ~~~
32 | $ pipenv run python3 -m unittest redhat_osv/*_test.py
33 | ~~~
34 | 
35 | ## How does it work?
36 | 
37 | Red Hat [Common Security Advisory Framework](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html) (CSAF) Advisories are made up of 3 sections, document, [product_tree](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#322-product-tree-property) and [vulnerabilities](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#323-vulnerabilities-property). How we use each section is converted to OSV format is explained below. A new CSAF Advisory is published each time a remediation for a security vulnerability in a Red Hat product is released. Red Hat will publish one advisory for each product affected by a vulnerability. However one advisory may remediate multiple vulnerabilities.
38 | 
39 | ### What is converted?
40 | 
41 | The CSAF document is first represented as a CSAF object which holds references to vulnerabilities. Vulnerabilities, in turn hold references to [remediations](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#32312-vulnerabilities-property---remediations). Remediations are a combination of the affected product information, including a [Common Product Enumeration](https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe) (CPE) Name, a component, a PURL and a fixed version. A component in this context is a Red Hat specific reference to the affected component, and refers to the same thing as the PURL. We need to store the component in the Remediation object so that we can relate it to PURL in the product_tree section of the CSAF advisory.
42 | 
43 | ### How is it converted?
44 | 
45 | OSV records hold a set of [affected data](https://ossf.github.io/osv-schema/#affected-fields). Each affected data object holds references to packages and ranges.
46 | 
47 | [Packages](https://ossf.github.io/osv-schema/#affectedpackage-field) contain a name, and ecosystem which is also represented as a PURL. The `Red Hat` ecosystem is a translation of the CPE in the CSAF document with the `cpe/:[oa]:redhat` prefix replaced with `Red Hat`. Since CSAF advisories only identify the version of the package which was fixed, all previous versions of that package released in the corresponding product are considered affected. This is converted to a single [Event](https://ossf.github.io/osv-schema/#affectedrangesevents-fields) in OSV with an `introduced` value of `0` and a `fixed` equal to the `fixed_version` from the CSAF advisory.
48 | 
49 | OSV [references](https://ossf.github.io/osv-schema/#references-field) are a combination of the Red Hat Advisory, references from that advisory, and the vulnerability specific references in the CSAF document. While CSAF advisories always contain at least one CVE identifier for a vulnerability, the other entries in the OSV [related](https://ossf.github.io/osv-schema/#related-field) field are converted from the CSAF advisory vulnerability references.
50 | 
51 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/PYSEC-2023-74.json:
--------------------------------------------------------------------------------
  1 | {
  2 |   "affected": [
  3 |     {
  4 |       "package": {
  5 |         "ecosystem": "PyPI",
  6 |         "name": "requests",
  7 |         "purl": "pkg:pypi/requests"
  8 |       },
  9 |       "ranges": [
 10 |         {
 11 |           "events": [
 12 |             {
 13 |               "introduced": "0"
 14 |             },
 15 |             {
 16 |               "fixed": "74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"
 17 |             }
 18 |           ],
 19 |           "repo": "https://github.com/psf/requests",
 20 |           "type": "GIT"
 21 |         },
 22 |         {
 23 |           "events": [
 24 |             {
 25 |               "introduced": "2.3.0"
 26 |             },
 27 |             {
 28 |               "fixed": "2.31.0"
 29 |             }
 30 |           ],
 31 |           "type": "ECOSYSTEM"
 32 |         }
 33 |       ],
 34 |       "versions": [
 35 |         "2.10.0",
 36 |         "2.11.0",
 37 |         "2.11.1",
 38 |         "2.12.0",
 39 |         "2.12.1",
 40 |         "2.12.2",
 41 |         "2.12.3",
 42 |         "2.12.4",
 43 |         "2.12.5",
 44 |         "2.13.0",
 45 |         "2.14.0",
 46 |         "2.14.1",
 47 |         "2.14.2",
 48 |         "2.15.0",
 49 |         "2.15.1",
 50 |         "2.16.0",
 51 |         "2.16.1",
 52 |         "2.16.2",
 53 |         "2.16.3",
 54 |         "2.16.4",
 55 |         "2.16.5",
 56 |         "2.17.0",
 57 |         "2.17.1",
 58 |         "2.17.2",
 59 |         "2.17.3",
 60 |         "2.18.0",
 61 |         "2.18.1",
 62 |         "2.18.2",
 63 |         "2.18.3",
 64 |         "2.18.4",
 65 |         "2.19.0",
 66 |         "2.19.1",
 67 |         "2.20.0",
 68 |         "2.20.1",
 69 |         "2.21.0",
 70 |         "2.22.0",
 71 |         "2.23.0",
 72 |         "2.24.0",
 73 |         "2.25.0",
 74 |         "2.25.1",
 75 |         "2.26.0",
 76 |         "2.27.0",
 77 |         "2.27.1",
 78 |         "2.28.0",
 79 |         "2.28.1",
 80 |         "2.28.2",
 81 |         "2.29.0",
 82 |         "2.3.0",
 83 |         "2.30.0",
 84 |         "2.4.0",
 85 |         "2.4.1",
 86 |         "2.4.2",
 87 |         "2.4.3",
 88 |         "2.5.0",
 89 |         "2.5.1",
 90 |         "2.5.2",
 91 |         "2.5.3",
 92 |         "2.6.0",
 93 |         "2.6.1",
 94 |         "2.6.2",
 95 |         "2.7.0",
 96 |         "2.8.0",
 97 |         "2.8.1",
 98 |         "2.9.0",
 99 |         "2.9.1",
100 |         "2.9.2"
101 |       ]
102 |     }
103 |   ],
104 |   "aliases": [
105 |     "CVE-2023-32681",
106 |     "GHSA-j8r2-6x86-q33q"
107 |   ],
108 |   "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n",
109 |   "id": "PYSEC-2023-74",
110 |   "modified": "2023-06-05T01:13:00.534973Z",
111 |   "published": "2023-05-26T18:15:00Z",
112 |   "references": [
113 |     {
114 |       "type": "ADVISORY",
115 |       "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q"
116 |     },
117 |     {
118 |       "type": "WEB",
119 |       "url": "https://github.com/psf/requests/releases/tag/v2.31.0"
120 |     },
121 |     {
122 |       "type": "FIX",
123 |       "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"
124 |     },
125 |     {
126 |       "type": "ARTICLE",
127 |       "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/"
128 |     },
129 |     {
130 |       "type": "WEB",
131 |       "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/"
132 |     }
133 |   ]
134 | }
135 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/checks/checks.go:
--------------------------------------------------------------------------------
  1 | // Package checks defines and implements all checks and collections of checks.
  2 | //
  3 | // To add additional checks:
  4 | // 1. define a new instance of `Check`
  5 | // 2. add it to the `checks` array
  6 | // 3. add it to the relevant collections defined in `checkCollections`
  7 | //
  8 | // To add additional collections of checks:
  9 | // 1. add to the `checkCollections` array.
 10 | package checks
 11 | 
 12 | import (
 13 | 	"fmt"
 14 | 
 15 | 	"github.com/tidwall/gjson"
 16 | )
 17 | 
 18 | // CheckError describes when a check fails.
 19 | type CheckError struct {
 20 | 	Code    string
 21 | 	Message string
 22 | }
 23 | 
 24 | // Error returns the error message, including the code.
 25 | func (ce *CheckError) Error() string {
 26 | 	if ce.Code == "" {
 27 | 		return fmt.Sprintf("%s", ce.Message)
 28 | 	}
 29 | 	return fmt.Sprintf("[%s]: %s", ce.Code, ce.Message)
 30 | }
 31 | 
 32 | // CheckDef defines a single check.
 33 | type CheckDef struct {
 34 | 	Code        string
 35 | 	Name        string
 36 | 	Description string
 37 | 	Check       Check
 38 | }
 39 | 
 40 | // Config defines the configuration for a check.
 41 | type Config struct {
 42 | 	Verbose    bool
 43 | 	Ecosystems   []string
 44 | 	JSON         bool
 45 | 	NewEcosystem bool
 46 | }
 47 | 
 48 | // Check defines how to run the check.
 49 | type Check func(*gjson.Result, *Config) []CheckError
 50 | 
 51 | // Run runs the check, returning any findings.
 52 | // The check has no awareness of the check's Code,
 53 | // this merges that with the check's findings.
 54 | func (c *CheckDef) Run(json *gjson.Result, config *Config) (findings []CheckError) {
 55 | 	if c.Check == nil {
 56 | 		return findings
 57 | 	}
 58 | 
 59 | 	for _, finding := range c.Check(json, config) {
 60 | 		findings = append(findings, CheckError{
 61 | 			Code:    c.Code,
 62 | 			Message: finding.Error(),
 63 | 		})
 64 | 	}
 65 | 	return findings
 66 | }
 67 | 
 68 | // CheckCollection defines a named collection of checks.
 69 | type CheckCollection struct {
 70 | 	Name        string
 71 | 	Description string
 72 | 	Checks      []*CheckDef
 73 | }
 74 | 
 75 | // FromCode returns the check with a specific code.
 76 | func FromCode(code string) *CheckDef {
 77 | 	for _, check := range CollectionFromName("ALL").Checks {
 78 | 		if check.Code == code {
 79 | 			return check
 80 | 		}
 81 | 	}
 82 | 	return nil
 83 | }
 84 | 
 85 | // FromName returns the check with a specific name.
 86 | func FromName(name string) *CheckDef {
 87 | 	for _, check := range CollectionFromName("ALL").Checks {
 88 | 		if check.Name == name {
 89 | 			return check
 90 | 		}
 91 | 	}
 92 | 	return nil
 93 | }
 94 | 
 95 | var Collections = []CheckCollection{
 96 | 	{
 97 | 		Name:        "ALL",
 98 | 		Description: "all checks currently defined",
 99 | 		Checks: []*CheckDef{
100 | 			// Schema checks
101 | 			CheckInvalidSchema,
102 | 			// Record checks
103 | 			CheckRecordHasAffected,
104 | 			CheckRecordHasValidAliases,
105 | 			CheckRecordHasValidUpstream,
106 | 			CheckRecordHasValidRelated,
107 | 			// Range checks
108 | 			CheckRangeHasIntroducedEvent,
109 | 			CheckRangeIsDistinct,
110 | 			// Package checks
111 | 			CheckPackageExists,
112 | 			CheckPackageVersionsExist,
113 | 			CheckPackagePurlValid,
114 | 		},
115 | 	},
116 | 	{
117 | 		Name: "offline",
118 | 		Description: "Checks that do not have remote data dependencies. " +
119 | 			"These can be run without network access.",
120 | 		Checks: []*CheckDef{
121 | 			CheckInvalidSchema,
122 | 			CheckRecordHasAffected,
123 | 			CheckRecordHasValidAliases,
124 | 			CheckRecordHasValidUpstream,
125 | 			CheckRecordHasValidRelated,
126 | 			CheckRangeHasIntroducedEvent,
127 | 			CheckRangeIsDistinct,
128 | 			CheckPackagePurlValid,
129 | 		},
130 | 	},
131 | 	{
132 | 		Name:        "fatal",
133 | 		Description: "Checks considered critical. Failures indicate fundamental issues with the OSV record.",
134 | 		Checks: []*CheckDef{
135 | 			CheckInvalidSchema,
136 | 			CheckRecordHasAffected,
137 | 			CheckRecordHasValidAliases,
138 | 			CheckRecordHasValidUpstream,
139 | 			CheckRangeIsDistinct,
140 | 		},
141 | 	},
142 | }
143 | 
144 | // CollectionFromName returns the CheckCollection with the given name.
145 | func CollectionFromName(name string) *CheckCollection {
146 | 	for _, checkcollection := range Collections {
147 | 		if checkcollection.Name == name {
148 | 			return &checkcollection
149 | 		}
150 | 	}
151 | 	return nil
152 | }
153 | 


--------------------------------------------------------------------------------
/tools/redhat/redhat_osv/osv_test.py:
--------------------------------------------------------------------------------
  1 | """Test Intermediate OSV object creation"""
  2 | import unittest
  3 | 
  4 | from redhat_osv.csaf import CSAF
  5 | from redhat_osv.osv import OSV, Event
  6 | 
  7 | 
  8 | class ScoreTest(unittest.TestCase):
  9 |     """Tests OSV vulnerability scores"""
 10 | 
 11 |     test_csaf_files = ["rhsa-2003_315.json", "rhsa-2015_0008.json"]
 12 | 
 13 |     def test_missing_cvss_v3(self):
 14 |         """Test parsing a CSAF file with missing CVSSv3 score"""
 15 |         for test_csaf_file in self.test_csaf_files:
 16 |             csaf_file = f"testdata/CSAF/{test_csaf_file}"
 17 |             with open(csaf_file, "r", encoding="utf-8") as fp:
 18 |                 csaf_data = fp.read()
 19 |             csaf = CSAF(csaf_data)
 20 |             with self.subTest(csaf_file):
 21 |                 assert csaf
 22 |                 assert len(csaf.vulnerabilities) == 1
 23 |                 assert not csaf.vulnerabilities[0].cvss_v3_base_score
 24 |                 for vuln in csaf.vulnerabilities:
 25 |                     for remediation in vuln.remediations:
 26 |                         assert "@" in remediation.purl
 27 | 
 28 |                 # See https://github.com/ossf/osv-schema/pull/308#issuecomment-2456061864
 29 |                 osv = OSV(csaf, "test_date")
 30 |                 assert not hasattr(osv, "severity")
 31 |                 for affected in osv.affected:
 32 |                     assert "@" not in affected.package.purl
 33 | 
 34 | 
 35 | class EventTest(unittest.TestCase):
 36 |     """ Tests OSV affected range events"""
 37 | 
 38 |     def test_init_event(self):
 39 |         """Test parsing various Events"""
 40 |         event = Event("introduced")
 41 |         assert event.event_type == "introduced"
 42 |         assert event.version == "0"
 43 | 
 44 |         event = Event("fixed", "1")
 45 |         assert event.event_type == "fixed"
 46 |         assert event.version == "1"
 47 | 
 48 |         with self.assertRaises(ValueError):
 49 |             Event("test")
 50 | 
 51 |     def test_events_from_csaf_files(self):
 52 |         """Test that events from CSAF files have expected versions"""
 53 |         test_csaf_files = ["rhsa-2024_6220.json", "rhsa-2024_4420.json"]
 54 | 
 55 |         for test_csaf_file in test_csaf_files:
 56 |             csaf_file = f"testdata/CSAF/{test_csaf_file}"
 57 |             with open(csaf_file, "r", encoding="utf-8") as fp:
 58 |                 csaf_data = fp.read()
 59 |             csaf = CSAF(csaf_data)
 60 |             osv = OSV(csaf, "2024-01-01T00:00:00Z")
 61 | 
 62 |             with self.subTest(csaf_file):
 63 |                 # Verify that we have affected packages
 64 |                 assert len(osv.affected) > 0
 65 | 
 66 |                 # Check each affected package's ranges and events
 67 |                 for affected in osv.affected:
 68 |                     assert len(affected.ranges) > 0
 69 | 
 70 |                     for range_obj in affected.ranges:
 71 |                         assert len(
 72 |                             range_obj.events
 73 |                         ) == 2  # Should have introduced and fixed events
 74 | 
 75 |                         # First event should be "introduced" with version "0"
 76 |                         introduced_event = range_obj.events[0]
 77 |                         assert introduced_event.event_type == "introduced"
 78 |                         assert introduced_event.version == "0"
 79 | 
 80 |                         # Second event should be "fixed" with a non-empty version
 81 |                         fixed_event = range_obj.events[1]
 82 |                         assert fixed_event.event_type == "fixed"
 83 |                         assert fixed_event.version != ""
 84 |                         assert fixed_event.version != "0"
 85 | 
 86 |                         # Red Hat versions should be in EVRA format or similar
 87 |                         # Examples: "0:5.4.1-1.module+el8.5.0+10613+59a13ec4"
 88 |                         #          "23.module+el8.9.0+18724+20190c23.x86_64"
 89 |                         # They should contain either ":" (epoch) 
 90 |                         assert ":" in fixed_event.version
 91 | 
 92 |                         # Version should not be just a number
 93 |                         assert not fixed_event.version.isdigit()
 94 | 
 95 |                         # Ensure we don't get module names as versions
 96 |                         assert not fixed_event.version.endswith(":rhel")
 97 |                         assert "virt:" not in fixed_event.version
 98 | 
 99 | 
100 | if __name__ == '__main__':
101 |     unittest.main()
102 | 


--------------------------------------------------------------------------------
/tools/osv-linter/go.sum:
--------------------------------------------------------------------------------
 1 | github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 2 | github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 3 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 4 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 5 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 6 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 7 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 8 | github.com/google/osv-scalibr v0.3.5-0.20251007022113-0f405599e232 h1:pJ1WnQio45t219UnbUc8JxZsyCyqr/xBhy969OTQ4H8=
 9 | github.com/google/osv-scalibr v0.3.5-0.20251007022113-0f405599e232/go.mod h1:yrL4tlR1cXIb2TUyEmtOdTR5tYYuXzfSprEfwyqp2qU=
10 | github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
11 | github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
12 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
13 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
14 | github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
15 | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
16 | github.com/sethvargo/go-retry v0.2.4 h1:T+jHEQy/zKJf5s95UkguisicE0zuF9y7+/vgz08Ocec=
17 | github.com/sethvargo/go-retry v0.2.4/go.mod h1:1afjQuvh7s4gflMObvjLPaWgluLLyhA1wmVZ6KLpICw=
18 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
19 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
20 | github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
21 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
22 | github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
23 | github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
24 | github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
25 | github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
26 | github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
27 | github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
28 | github.com/urfave/cli/v2 v2.27.2 h1:6e0H+AkS+zDckwPCUrZkKX38mRaau4nL2uipkJpbkcI=
29 | github.com/urfave/cli/v2 v2.27.2/go.mod h1:g0+79LmHHATl7DAcHO99smiR/T7uGLw84w8Y42x+4eM=
30 | github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
31 | github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
32 | github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
33 | github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
34 | github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
35 | github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
36 | github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe9UDgpxAWQrhbbBXOYJFQDq/dtJw=
37 | github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk=
38 | golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
39 | golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
40 | golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
41 | golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
42 | golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
43 | golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
44 | golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
45 | golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
46 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
47 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
48 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
49 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
50 | 


--------------------------------------------------------------------------------
/.github/workflows/checks.yml:
--------------------------------------------------------------------------------
  1 | name: Checks
  2 | 
  3 | on:
  4 |   push:
  5 |     branches: [main]
  6 |   pull_request:
  7 |     # The branches below must be a subset of the branches above
  8 |     branches: [main]
  9 | 
 10 | concurrency:
 11 |   # Pushing new changes to a branch will cancel any in-progress CI runs
 12 |   group: ${{ github.workflow }}-${{ github.ref }}
 13 |   cancel-in-progress: true
 14 | 
 15 | # Restrict jobs in this workflow to have no permissions by default; permissions
 16 | # should be granted per job as needed using a dedicated `permissions` block
 17 | permissions: {}
 18 | 
 19 | jobs:
 20 |   filenames:
 21 |     runs-on: ubuntu-latest
 22 |     steps:
 23 |       - uses: actions/checkout@v4
 24 |         with:
 25 |           persist-credentials: false
 26 |       - run: |
 27 |           find . -mindepth 1 ! -regex '.*/[#@A-Za-z0-9._-]*' -print0 \
 28 |             | xargs -0 -I{} bash -c \
 29 |               'printf "::error file=%q::This filename contains undesired characters\n" "$1" && false' _ {}
 30 |   tests_osv-go:
 31 |     permissions:
 32 |       contents: read # to fetch code (actions/checkout)
 33 |     name: Run `bindings/go` unit tests
 34 |     runs-on: ubuntu-latest
 35 |     defaults:
 36 |       run:
 37 |         working-directory: ./bindings/go
 38 |     steps:
 39 |       - name: Check out code
 40 |         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 41 |         with:
 42 |           persist-credentials: false
 43 |       - name: Set up Go
 44 |         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
 45 |         with:
 46 |           go-version: stable
 47 |           check-latest: true
 48 | 
 49 |       - run: go test ./...
 50 |       - run: gofmt -s */**.go
 51 |       - run: git diff --exit-code
 52 |       - run: go mod tidy -diff
 53 |   tests_osv-linter:
 54 |     permissions:
 55 |       contents: read # to fetch code (actions/checkout)
 56 |     name: Run `osv-linter` unit tests
 57 |     runs-on: ubuntu-latest
 58 |     defaults:
 59 |       run:
 60 |         working-directory: ./tools/osv-linter
 61 |     steps:
 62 |       - name: Check out code
 63 |         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 64 |         with:
 65 |           persist-credentials: false
 66 |       - name: Set up Go
 67 |         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
 68 |         with:
 69 |           go-version: stable
 70 |           check-latest: true
 71 | 
 72 |       - run: go test ./...
 73 |       - run: gofmt -s */**.go
 74 |       - run: git diff --exit-code
 75 |       - run: go mod tidy -diff
 76 | 
 77 |   ecosystem_lists:
 78 |     permissions:
 79 |       contents: read # to fetch code (actions/checkout)
 80 |     name: Check ecosystem lists
 81 |     runs-on: ubuntu-latest
 82 |     steps:
 83 |       - name: Check out code
 84 |         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 85 |         with:
 86 |           persist-credentials: false
 87 |       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
 88 |         with:
 89 |           python-version: 3.13
 90 |       - run: python3 ./scripts/update-ecosystems-lists.py
 91 |       - run: |
 92 |           git diff --name-only \
 93 |             | xargs -I '{}' bash -c \
 94 |               'echo "::error file={},line=1::This needs to be regenerated by running \`python3 ./scripts/update-ecosystems-lists.py\`" && false'
 95 | 
 96 |   validate_schema_databases_table:
 97 |     permissions:
 98 |       contents: read # to fetch code (actions/checkout)
 99 |     name: Ensure schema databases table is valid
100 |     runs-on: ubuntu-latest
101 |     steps:
102 |       - name: Check out code
103 |         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
104 |         with:
105 |           persist-credentials: false
106 |       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
107 |         with:
108 |           python-version: 3.13
109 |       - run: python3 ./scripts/validate-schema-table.py
110 | 
111 |   validate-osv-schema:
112 |     name: Validate OSV Schema
113 |     permissions:
114 |       contents: read
115 |     runs-on: ubuntu-latest
116 |     steps:
117 |       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
118 |       - name: Validate OSV Schema
119 |         uses: dsanders11/json-schema-validate-action@ec60131eddf6f51ed0c737fdcd28616ae1a0e564 # v1.2.0
120 |         with:
121 |           # https://github.com/marketplace/actions/json-schema-validate#validating-schema
122 |           schema: json-schema
123 |           files: validation/schema.json
124 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/checks/record.go:
--------------------------------------------------------------------------------
  1 | package checks
  2 | 
  3 | import (
  4 | 	"github.com/tidwall/gjson"
  5 | )
  6 | 
  7 | var CheckRecordHasAffected = &CheckDef{
  8 | 	Code:        "REC:001",
  9 | 	Name:        "affected-data-exists",
 10 | 	Description: "every record has affected data",
 11 | 	Check:       RecordHasAffected,
 12 | }
 13 | 
 14 | var CheckRecordHasValidAliases = &CheckDef{
 15 | 	Code:        "REC:002",
 16 | 	Name:        "valid-aliases",
 17 | 	Description: "aliases field validates",
 18 | 	Check:       AliasesCheck,
 19 | }
 20 | 
 21 | var CheckRecordHasValidUpstream = &CheckDef{
 22 | 	Code:        "REC:003",
 23 | 	Name:        "valid-upstream",
 24 | 	Description: "upstream field validates",
 25 | 	Check:       UpstreamCheck,
 26 | }
 27 | 
 28 | var CheckRecordHasValidRelated = &CheckDef{
 29 | 	Code:        "REC:004",
 30 | 	Name:        "valid-related",
 31 | 	Description: "related field validates",
 32 | 	Check:       RelatedCheck,
 33 | }
 34 | 
 35 | // RecordHasAffected checks if the 'affected' field exists in the JSON and is not an empty array.
 36 | func RecordHasAffected(json *gjson.Result, config *Config) (findings []CheckError) {
 37 | 	// Withdrawn records are fine to not contain affected field
 38 | 	isWithdrawn := json.Get("withdrawn")
 39 | 	if isWithdrawn.Exists() {
 40 | 		return
 41 | 	}
 42 | 
 43 | 	affectedEntries := json.Get("affected")
 44 | 	if !affectedEntries.Exists() || affectedEntries.String() == "[]" {
 45 | 		findings = append(findings, CheckError{Message: "Invalid Affected: affected field cannot be null or empty"})
 46 | 	}
 47 | 	return findings
 48 | }
 49 | 
 50 | func UpstreamCheck(json *gjson.Result, config *Config) (findings []CheckError) {
 51 | 	upstream := json.Get("upstream")
 52 | 	bug := json.Get("id")
 53 | 	if !upstream.Exists() {
 54 | 		return
 55 | 	}
 56 | 
 57 | 	hasDup, unique := hasDuplicate(upstream)
 58 | 	if hasDup {
 59 | 		findings = append(findings, CheckError{Message: "Invalid Upstream: upstream should not contain duplicate entries"})
 60 | 	}
 61 | 
 62 | 	if _, exists := unique[bug.String()]; exists {
 63 | 		findings = append(findings, CheckError{Message: "Invalid Upstream: upstream should not contain itself"})
 64 | 	}
 65 | 
 66 | 	aliases := json.Get("aliases")
 67 | 	if aliases.Exists() && aliases.IsArray() {
 68 | 		for _, bug := range aliases.Array() {
 69 | 			if _, exists := unique[bug.String()]; exists {
 70 | 				findings = append(findings, CheckError{Message: "Invalid Upstream: upstream should not contain aliases"})
 71 | 				break
 72 | 			}
 73 | 		}
 74 | 	}
 75 | 
 76 | 	related := json.Get("related")
 77 | 	if related.Exists() && related.IsArray() {
 78 | 		for _, bug := range related.Array() {
 79 | 			if _, exists := unique[bug.String()]; exists {
 80 | 				findings = append(findings, CheckError{Message: "Invalid Upstream: upstream should not contain related IDs"})
 81 | 				break
 82 | 			}
 83 | 		}
 84 | 	}
 85 | 
 86 | 	return findings
 87 | }
 88 | 
 89 | func AliasesCheck(json *gjson.Result, config *Config) (findings []CheckError) {
 90 | 	aliases := json.Get("aliases")
 91 | 	bug := json.Get("id")
 92 | 	if !aliases.Exists() {
 93 | 		return
 94 | 	}
 95 | 
 96 | 	hasDup, unique := hasDuplicate(aliases)
 97 | 	if hasDup {
 98 | 		findings = append(findings, CheckError{Message: "Invalid Aliases: aliases should not contain duplicate entries"})
 99 | 	}
100 | 
101 | 	if _, exists := unique[bug.String()]; exists {
102 | 		findings = append(findings, CheckError{Message: "Invalid Aliases: aliases should not contain itself"})
103 | 	}
104 | 
105 | 	return findings
106 | }
107 | 
108 | func RelatedCheck(json *gjson.Result, config *Config) (findings []CheckError) {
109 | 	related := json.Get("related")
110 | 	bug := json.Get("id")
111 | 	if !related.Exists() {
112 | 		return
113 | 	}
114 | 
115 | 	hasDup, unique := hasDuplicate(related)
116 | 	if hasDup {
117 | 		findings = append(findings, CheckError{Message: "Invalid Related: Related should not contain duplicate entries"})
118 | 	}
119 | 
120 | 	if _, exists := unique[bug.String()]; exists {
121 | 		findings = append(findings, CheckError{Message: "Invalid Related: Related should not contain itself"})
122 | 	}
123 | 
124 | 	return findings
125 | }
126 | 
127 | func hasDuplicate(json gjson.Result) (bool, map[string]struct{}) {
128 | 	var bugIDs []string
129 | 	if json.IsArray() { // Check if it's actually a JSON array
130 | 		for _, bugResult := range json.Array() {
131 | 			bugIDs = append(bugIDs, bugResult.String())
132 | 		}
133 | 	} else {
134 | 		return false, nil
135 | 	}
136 | 
137 | 	seen := make(map[string]struct{})
138 | 	for _, bugID := range bugIDs {
139 | 		seen[bugID] = struct{}{}
140 | 	}
141 | 
142 | 	return len(seen) != len(bugIDs), seen
143 | }
144 | 


--------------------------------------------------------------------------------
/tools/osv-linter/testdata/RHSA-2022_0216.json:
--------------------------------------------------------------------------------
  1 | {
  2 |     "id": "RHSA-2022:0216",
  3 |     "summary": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update",
  4 |     "modified": "2024-09-01T17:42:35Z",
  5 |     "published": "2024-09-01T17:42:35Z",
  6 |     "related": [
  7 |         "CVE-2021-44832",
  8 |         "CVE-2021-45046",
  9 |         "CVE-2021-45105"
 10 |     ],
 11 |     "references": [
 12 |         {
 13 |             "type": "ADVISORY",
 14 |             "url": "https://access.redhat.com/errata/RHSA-2022:0216"
 15 |         },
 16 |         {
 17 |             "type": "ARTICLE",
 18 |             "url": "https://access.redhat.com/security/updates/classification/#low"
 19 |         },
 20 |         {
 21 |             "type": "ARTICLE",
 22 |             "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.4"
 23 |         },
 24 |         {
 25 |             "type": "ARTICLE",
 26 |             "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
 27 |         },
 28 |         {
 29 |             "type": "ARTICLE",
 30 |             "url": "https://access.redhat.com/solutions/6577421"
 31 |         },
 32 |         {
 33 |             "type": "ARTICLE",
 34 |             "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
 35 |         },
 36 |         {
 37 |             "type": "ARTICLE",
 38 |             "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
 39 |         },
 40 |         {
 41 |             "type": "REPORT",
 42 |             "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
 43 |         },
 44 |         {
 45 |             "type": "REPORT",
 46 |             "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034067"
 47 |         },
 48 |         {
 49 |             "type": "REPORT",
 50 |             "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035951"
 51 |         },
 52 |         {
 53 |             "type": "ADVISORY",
 54 |             "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_0216.json"
 55 |         },
 56 |         {
 57 |             "type": "REPORT",
 58 |             "url": "https://access.redhat.com/security/cve/CVE-2021-44832"
 59 |         },
 60 |         {
 61 |             "type": "ADVISORY",
 62 |             "url": "https://www.cve.org/CVERecord?id=CVE-2021-44832"
 63 |         },
 64 |         {
 65 |             "type": "ADVISORY",
 66 |             "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832"
 67 |         },
 68 |         {
 69 |             "type": "ARTICLE",
 70 |             "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
 71 |         },
 72 |         {
 73 |             "type": "REPORT",
 74 |             "url": "https://access.redhat.com/security/cve/CVE-2021-45046"
 75 |         },
 76 |         {
 77 |             "type": "ADVISORY",
 78 |             "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
 79 |         },
 80 |         {
 81 |             "type": "ADVISORY",
 82 |             "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
 83 |         },
 84 |         {
 85 |             "type": "ARTICLE",
 86 |             "url": "https://access.redhat.com/security/cve/CVE-2021-44228"
 87 |         },
 88 |         {
 89 |             "type": "ARTICLE",
 90 |             "url": "https://logging.apache.org/log4j/2.x/security.html"
 91 |         },
 92 |         {
 93 |             "type": "ARTICLE",
 94 |             "url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
 95 |         },
 96 |         {
 97 |             "type": "ARTICLE",
 98 |             "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
 99 |         },
100 |         {
101 |             "type": "REPORT",
102 |             "url": "https://access.redhat.com/security/cve/CVE-2021-45105"
103 |         },
104 |         {
105 |             "type": "ADVISORY",
106 |             "url": "https://www.cve.org/CVERecord?id=CVE-2021-45105"
107 |         },
108 |         {
109 |             "type": "ADVISORY",
110 |             "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105"
111 |         },
112 |         {
113 |             "type": "ARTICLE",
114 |             "url": "https://issues.apache.org/jira/browse/LOG4J2-3230"
115 |         },
116 |         {
117 |             "type": "ARTICLE",
118 |             "url": "https://www.openwall.com/lists/oss-security/2021/12/19/1"
119 |         }
120 |     ],
121 |     "schema_version": "1.6.0",
122 |     "severity": [
123 |         {
124 |             "type": "CVSS_V3",
125 |             "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
126 |         }
127 |     ]
128 | }


--------------------------------------------------------------------------------
/scripts/update-ecosystems-lists.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import json
  4 | import shutil
  5 | 
  6 | MARKDOWN_TABLE_MARKER_START = '<!-- begin auto-generated ecosystems list -->'
  7 | MARKDOWN_TABLE_MARKER_END = '<!-- end auto-generated ecosystems list -->'
  8 | 
  9 | # The version is not in the schema, so it's hardcoded here for now.
 10 | # This should be kept in sync with the canonical version.
 11 | SCHEMA_VERSION = "1.7.3"
 12 | 
 13 | # ensure that the ecosystems are sorted alphabetically and don't have extra whitespace
 14 | ecosystems: dict[str, str] = {
 15 |   k: v.strip() for k, v in sorted(
 16 |     json.loads(open('ecosystems.json').read()).items(),
 17 |     key=lambda item: item[0].casefold()
 18 |   )
 19 | }
 20 | 
 21 | # write back to the json file in case there were any changes
 22 | open('ecosystems.json', 'w').write(json.dumps(ecosystems, indent=2) + '\n')
 23 | 
 24 | 
 25 | def update_json_schema(filename: str):
 26 |   """
 27 |   Updates references to ecosystems defined in the OSV JSON schema
 28 |   :return:
 29 |   """
 30 |   schema = json.loads(open(filename).read())
 31 | 
 32 |   names = ecosystems.keys()
 33 |   pattern = ''
 34 | 
 35 |   for name in names:
 36 |     pattern += name.replace('.', '\\.')
 37 |     pattern += '|'
 38 | 
 39 |   # this is a special "ecosystem" name
 40 |   pattern += 'GIT'
 41 | 
 42 |   schema['$defs']['ecosystemName']['enum'] = list(names)
 43 |   schema['$defs']['ecosystemWithSuffix']['pattern'] = f'^({pattern})(:.+)?$'
 44 | 
 45 |   open(filename, 'w').write(json.dumps(schema, indent=2) + '\n')
 46 | 
 47 | 
 48 | def generate_ecosystems_markdown_table() -> str:
 49 |   """
 50 |   Generates a Markdown table of supported ecosystems with descriptions
 51 |   :return:
 52 |   """
 53 |   table = '| Ecosystem | Description |\n'
 54 |   table += '|-----------|-------------|\n'
 55 | 
 56 |   for name, description in ecosystems.items():
 57 |     table += f'| `{name}` | {description} |\n'
 58 | 
 59 |   return table
 60 | 
 61 | 
 62 | def update_schema_md():
 63 |   """
 64 |   Updates the schema.md file with the list of ecosystems
 65 |   :return:
 66 |   """
 67 |   md = open('docs/schema.md').read()
 68 | 
 69 |   table_start_index = md.index(MARKDOWN_TABLE_MARKER_START)
 70 |   table_end_index = md.index(MARKDOWN_TABLE_MARKER_END)
 71 | 
 72 |   assert table_start_index < table_end_index, 'Table start index must be before table end index'
 73 | 
 74 |   table = generate_ecosystems_markdown_table()
 75 |   table += '| Your ecosystem here. | [Send us a PR](https://github.com/ossf/osv-schema/compare). |\n'
 76 | 
 77 |   md = '{0}{1}\n\n{2}\n{3}{4}'.format(
 78 |     md[:table_start_index],
 79 |     MARKDOWN_TABLE_MARKER_START,
 80 |     table,
 81 |     MARKDOWN_TABLE_MARKER_END,
 82 |     md[table_end_index + len(MARKDOWN_TABLE_MARKER_END):]
 83 |   )
 84 | 
 85 |   open('docs/schema.md', 'w').write(md)
 86 | 
 87 | 
 88 | def convert_to_go_constant_name(name: str) -> str:
 89 |   """
 90 |   Converts the "human" name of an ecosystem to a Go constant name, mostly
 91 |   by removing spaces and dashes and converting to PascalCase.
 92 | 
 93 |   Some ecosystems have special cases, like "crates.io" which is converted to "CratesIO".
 94 | 
 95 |   :param name:
 96 |   :return:
 97 |   """
 98 |   if name == 'crates.io':
 99 |     return 'EcosystemCratesIO'
100 | 
101 |   if name == 'npm':
102 |     return 'EcosystemNPM'
103 | 
104 |   name = name[0].upper() + name[1:]
105 |   name = name.replace('-', '').replace(' ', '')
106 | 
107 |   return f'Ecosystem{name}'
108 | 
109 | 
110 | def generate_ecosystems_go_constants() -> str:
111 |   """
112 |   Generates a list of Go constants, with a constant per ecosystem
113 |   :return:
114 |   """
115 | 
116 |   constants = list(map(lambda x: (convert_to_go_constant_name(x), x), ecosystems.keys()))
117 |   longest = max(map(lambda x: len(x[0]), constants))
118 | 
119 |   code = 'const (\n'
120 |   for constant, name in constants:
121 |     code += f'\t{constant.ljust(longest)} Ecosystem = "{name}"\n'
122 |   code += ')\n'
123 | 
124 |   return code
125 | 
126 | 
127 | def update_go_constants():
128 |   """
129 |   Updates the Go constants with the list of ecosystems
130 |   :return:
131 |   """
132 |   output_parts = [
133 |       '// Code generated by scripts/update-ecosystems-lists.py. DO NOT EDIT.',
134 |       'package osvconstants', '', f'const SchemaVersion = "{SCHEMA_VERSION}"',
135 |       '', 'type Ecosystem string',
136 |       ''
137 |   ]
138 |   output_parts.append(generate_ecosystems_go_constants())
139 |   output_content = '\n'.join(output_parts)
140 |   with open(
141 |       'bindings/go/osvconstants/constants.go', 'w',
142 |       encoding='utf-8') as f:
143 |     f.write(output_content)
144 | 
145 | 
146 | update_go_constants()
147 | update_json_schema('validation/schema.json')
148 | shutil.copy('validation/schema.json', 'tools/osv-linter/internal/checks/schema_generated.json')
149 | update_schema_md()
150 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
 6 | 
 7 | We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
 8 | 
 9 | ## Our Standards
10 | 
11 | Examples of behavior that contributes to a positive environment for our community include:
12 | 
13 | - Demonstrating empathy and kindness toward other people
14 | - Being respectful of differing opinions, viewpoints, and experiences
15 | - Giving and gracefully accepting constructive feedback
16 | - Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
17 | - Focusing on what is best not just for us as individuals, but for the overall community
18 | 
19 | Examples of unacceptable behavior include:
20 | 
21 | - The use of sexualized language or imagery and unwelcome sexual attention or
22 |   advances
23 | - Trolling, insulting/derogatory comments, and personal or political attacks
24 | - Public or private harassment
25 | - Publishing others' private information, such as a physical or electronic
26 |   address, without explicit permission
27 | - Other conduct which could reasonably be considered inappropriate in a
28 |   professional setting
29 | 
30 | ## Enforcement Responsibilities
31 | 
32 | Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
33 | 
34 | Project maintainers have the right and responsibility to remove, edit, or reject
35 | comments, commits, code, wiki edits, issues, and other contributions that are
36 | not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
37 | 
38 | ## Scope
39 | 
40 | This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
41 | 
42 | ## Enforcement
43 | 
44 | ### Enforcement Guidelines
45 | 
46 | Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
47 | 
48 | 1. Correction
49 | 
50 |    **Community Impact:** Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
51 | 
52 |    **Consequence:** A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
53 | 
54 | 2. Warning
55 | 
56 |    **Community Impact:** A violation through a single incident or series of actions.
57 | 
58 |    **Consequence:** A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
59 | 
60 | 3. Temporary Ban
61 | 
62 |    **Community Impact:** A serious violation of community standards, including sustained inappropriate behavior.
63 | 
64 |    **Consequence:** A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
65 | 
66 | 4. Permanent Ban
67 | 
68 |    **Community Impact:** Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
69 | 
70 |    **Consequence:** A permanent ban from any sort of public interaction within the community.
71 | 
72 | ## Attribution
73 | 
74 | This Code of Conduct is adapted from the Contributor Covenant, version 2.0, available at <https://www.contributor-covenant.org/version/2/0/code_of_conduct.html>.
75 | 
76 | Community Impact Guidelines were inspired by [Mozilla’s code of conduct enforcement ladder.](https://github.com/mozilla/inclusion)
77 | 
78 | For answers to common questions about this code of conduct, see the FAQ at <https://www.contributor-covenant.org/faq>. Translations are available at <https://www.contributor-covenant.org/translations>.


--------------------------------------------------------------------------------
/GUIDING_PRINCIPLES.md:
--------------------------------------------------------------------------------
  1 | # Guiding principles
  2 | 
  3 | Changes to the OSV (Open Source Vulnerability) schema are evaluated against
  4 | several core principles:
  5 | 
  6 | ## 1. Focus on Core Use Cases
  7 | 
  8 | The primary goal driving the OSV schema's design is to **enable software
  9 | developers to accurately identify and remediate all known vulnerabilities
 10 | within their applications' open source dependencies**.
 11 | 
 12 | To achieve this, the schema specifically supports two core use cases:
 13 | 1. For Vulnerability **Databases**: Make it easy for any vulnerability database
 14 |    to adopt and export the format, so that we have comprehensive coverage.
 15 | 2. For Vulnerability **Scanners**: Create a format that vulnerability scanners
 16 |    can use to produce **accurate** and **actionable** vulnerability scanning
 17 |    results.
 18 | 
 19 | This focus means that there may be some use cases of vulnerability data that
 20 | are out of scope, such as:
 21 | - Detailed historical analysis of vulnerability trends.
 22 | - Tracking metadata about vulnerabilities that may be interesting but otherwise
 23 |   not useful for automatic vulnerability matching and remediation (e.g.
 24 |   individual timelines of vulnerabilities, or detailed relationship graphs
 25 |   between vulnerabilities).
 26 | 
 27 | While these aren't the primary focus, the OSV schema might still be useful for
 28 | these secondary purposes if the required data fields overlap with those needed
 29 | for its core use cases.
 30 | 
 31 | ## 2. Simplicity
 32 | 
 33 | A well-defined set of use cases allows the schema to remain concise and
 34 | minimal. This simplicity makes the schema easier for consumers (like scanners)
 35 | to understand and easier for producers (like databases) to adopt.
 36 | 
 37 | Each field should serve a distinct purpose directly linked to the core use cases.
 38 | There must also be a practical way for vulnerability data producers to supply
 39 | the data for each field. Aspirational fields, which cannot be realistically
 40 | populated by vulnerability databases or realistically used by consumers, must
 41 | be avoided.
 42 | 
 43 | Where possible, there should be a data-driven justification with clear evidence
 44 | of demand (from both producers/consumers) when adding a new field.
 45 | 
 46 | ## 3. Correctness and Consistency
 47 | 
 48 | OSV schema fields must promote data correctness and consistency.
 49 | 
 50 | Fields require unambiguous rules for encoding values, including specifics like
 51 | casing and formatting.
 52 | 
 53 | Where the schema refers to specific software ecosystems (e.g., package
 54 | managers), its rules must align precisely with that ecosystem's specifications.
 55 | For instance, package names and version ordering for the "PyPI" ecosystem must
 56 | adhere strictly to PyPI's official rules.
 57 | 
 58 | Where possible these rules should should be enforceable via the OSV JSON Schema
 59 | and linter.
 60 | 
 61 | ## 4. Prioritizing Open Source
 62 | 
 63 | While the OSV schema can represent vulnerabilities in closed-source software,
 64 | its primary focus and design considerations prioritize open source software
 65 | ecosystems.
 66 | 
 67 | ## 5. Federated Database Model
 68 | 
 69 | The OSV schema promotes a distributed model of "home" vulnerability databases,
 70 | maintained by the relevant communities or organizations.
 71 | 
 72 | For example, the Go community maintains a database using the `GO-` prefix,
 73 | while the Rust community maintains one using `RUSTSEC-`.
 74 | 
 75 | This means vulnerability records are ideally owned and published by the most
 76 | relevant upstream source for that ecosystem.
 77 | 
 78 | Consequently, metadata originating by definition from separate, centralized
 79 | authorities (like EPSS scores or CISA KEV status), doesn't belong directly
 80 | within the core OSV record itself, as it's not authored by the record's "home"
 81 | database.
 82 | 
 83 | ## 6. Backwards Compatibility
 84 | 
 85 | The OSV schema is considered stable with no breaking changes expected. OSV
 86 | records target a specific
 87 | [`schema_version`](https://ossf.github.io/osv-schema/#schema_version-field),
 88 | with the expectation that future versions of the schema will maintain backwards
 89 | compatibility:
 90 | 
 91 | - Existing clients supporting an older version of the schema don’t have to update
 92 |   their behaviour to consume records targeting newer versions.
 93 | - Clients that support a newer version of the schema don’t need special
 94 |   behaviour to account for older versions of the schema. They can treat each
 95 |   record as if it was targeting the latest version of the schema.
 96 | 
 97 | In practice, this means:
 98 | 
 99 | - Fields are never removed.
100 | - The meaning or interpretation of existing fields can be broadened, but never
101 |   changed in a way that breaks older clients.
102 | - Clients must be able to safely ignore fields or values introduced in newer
103 |   schema versions that they don't understand.
104 | 
105 | This commitment of backwards compatibility means that there is a large cost
106 | associated with adding a new field to the schema. While it may seem simple to
107 | add a new field, its permanence increases the schema's complexity over time.
108 | 


--------------------------------------------------------------------------------
/docs/_data/locale.yml:
--------------------------------------------------------------------------------
  1 | # @start locale config
  2 | ## => English
  3 | ########################
  4 | en: &EN
  5 |   SUBSCRIBE               : "Subscribe"
  6 |   READMORE                : "Read more"
  7 |   SEARCH                  : "Search"
  8 |   CANCEL                  : "Cancel"
  9 |   VIEWS                   : "views"
 10 |   LAST_UPDATED            : "Last updated"
 11 |   PREVIOUS                : "PREVIOUS"
 12 |   NEXT                    : "NEXT"
 13 |   ARTICLE_DATE_FORMAT     : "%b %d, %Y"
 14 |   ARTICLE_LIST_DATE_FORMAT: "%b %d"
 15 |   STATISTICS              : "[POST_COUNT] post articles, [PAGE_COUNT] pages."
 16 |   LICENSE_ANNOUNCE        : "This work is licensed under a [LICENSE] license."
 17 |   POST_ON_GITHUB          : "Edit on Github"
 18 |   FOLLOW_ME               : "Follow me on [NAME]."
 19 |   FOLLOW_US               : "Follow us on [NAME]."
 20 |   EMAIL_ME                : "Send me an Email."
 21 |   EMAIL_US                : "Send us an Email."
 22 |   COPYRIGHT_DATES         : "2021"
 23 | 
 24 | en-GB:
 25 |   <<: *EN
 26 | en-US:
 27 |   <<: *EN
 28 | en-CA:
 29 |   <<: *EN
 30 | en-AU:
 31 |   <<: *EN
 32 | 
 33 | ## => Simplified Chinese
 34 | ########################
 35 | zh-Hans: &ZH_HANS
 36 |   SUBSCRIBE               : "订阅"
 37 |   READMORE                : "阅读更多"
 38 |   SEARCH                  : "搜索"
 39 |   CANCEL                  : "取消"
 40 |   VIEWS                   : "阅读"
 41 |   LAST_UPDATED            : "更新于"
 42 |   PREVIOUS                : "上篇"
 43 |   NEXT                    : "下篇"
 44 |   ARTICLE_DATE_FORMAT     : "%Y年 %m月%d日"
 45 |   ARTICLE_LIST_DATE_FORMAT: "%m月%d日"
 46 |   STATISTICS              : "共计 [POST_COUNT] 篇文章，[PAGE_COUNT] 页。"
 47 |   LICENSE_ANNOUNCE        : "本文遵守 [LICENSE] 许可协议。"
 48 |   POST_ON_GITHUB          : "在 Github 上修改"
 49 |   FOLLOW_ME               : "在 [NAME] 上关注我。"
 50 |   FOLLOW_US               : "在 [NAME] 上关注我们。"
 51 |   EMAIL_ME                : "给我发邮件。"
 52 |   EMAIL_US                : "给我们发邮件。"
 53 |   COPYRIGHT_DATES         : "2021"
 54 | 
 55 | zh:
 56 |   <<: *ZH_HANS
 57 | zh-CN:
 58 |   <<: *ZH_HANS
 59 | zh-SG:
 60 |   <<: *ZH_HANS
 61 | 
 62 | ## => Traditional Chinese
 63 | ########################
 64 | zh-Hant: &ZH_HANT
 65 |   SUBSCRIBE               : "訂閱"
 66 |   READMORE                : "閱讀更多"
 67 |   SEARCH                  : "搜索"
 68 |   CANCEL                  : "取消"
 69 |   VIEWS                   : "閱讀"
 70 |   LAST_UPDATED            : "更新於"
 71 |   PREVIOUS                : "上篇"
 72 |   NEXT                    : "下篇"
 73 |   ARTICLE_DATE_FORMAT     : "%Y年 %m月%d日"
 74 |   ARTICLE_LIST_DATE_FORMAT: "%m月%d日"
 75 |   STATISTICS              : "共計 [POST_COUNT] 篇文章，[PAGE_COUNT] 頁。"
 76 |   LICENSE_ANNOUNCE        : "本文遵守 [LICENSE] 許可協議。"
 77 |   POST_ON_GITHUB          : "在 Github 上修改"
 78 |   FOLLOW_ME               : "在 [NAME] 上關注我。"
 79 |   FOLLOW_US               : "在 [NAME] 上關注我們。"
 80 |   EMAIL_ME                : "給我發郵件。"
 81 |   EMAIL_US                : "給我們發郵件。"
 82 |   COPYRIGHT_DATES         : "2021"
 83 | 
 84 | zh-TW:
 85 |   <<: *ZH_HANT
 86 | zh-HK:
 87 |   <<: *ZH_HANT
 88 | 
 89 | ## => Korean
 90 | ########################
 91 | ko: &KO
 92 |   SUBSCRIBE               : "구독하기"
 93 |   READMORE                : "더보기"
 94 |   SEARCH                  : "검색"
 95 |   CANCEL                  : "취소"
 96 |   VIEWS                   : "조회"
 97 |   LAST_UPDATED            : "마지막 수정"
 98 |   PREVIOUS                : "이전"
 99 |   NEXT                    : "다음"
100 |   ARTICLE_DATE_FORMAT     : "%Y년 %m월 %d일"
101 |   ARTICLE_LIST_DATE_FORMAT: "%m월 %d일"
102 |   STATISTICS              : "전체 글 [POST_COUNT]개, [PAGE_COUNT] 페이지"
103 |   LICENSE_ANNOUNCE        : "이 글의 저작권은 [LICENSE] 라이센스를 따릅니다."
104 |   POST_ON_GITHUB          : "Github에서 확인하기"
105 |   FOLLOW_ME               : "[NAME]에서 팔로우하기"
106 |   FOLLOW_US               : "[NAME]에서 팔로우하기"
107 |   EMAIL_ME                : "이메일 보내기"
108 |   EMAIL_US                : "이메일 보내기"
109 |   COPYRIGHT_DATES         : "2021"
110 | 
111 | ko-KR:
112 |   <<: *KO
113 | 
114 | ## => French
115 | ########################
116 | fr: &FR
117 |   SUBSCRIBE               : "S'abonner"
118 |   READMORE                : "Plus"
119 |   SEARCH                  : "Recherche"
120 |   CANCEL                  : "Annuler"
121 |   VIEWS                   : "vues"
122 |   LAST_UPDATED            : "Dernière modification"
123 |   PREVIOUS                : "PRÉCÉDENT"
124 |   NEXT                    : "SUIVANT"
125 |   ARTICLE_DATE_FORMAT     : "%d %b, %Y"
126 |   ARTICLE_LIST_DATE_FORMAT: "%d %b"
127 |   STATISTICS              : "[POST_COUNT] articles, [PAGE_COUNT] pages."
128 |   LICENSE_ANNOUNCE        : "Ce travail est sous licence [LICENSE]."
129 |   POST_ON_GITHUB          : "Modifier sur Github"
130 |   FOLLOW_ME               : "Suivez-moi sur [NAME]."
131 |   FOLLOW_US               : "Suivez-nous sur [NAME]."
132 |   EMAIL_ME                : "Envoyez-moi un courriel."
133 |   EMAIL_US                : "Envoyez-nous un courriel"
134 |   COPYRIGHT_DATES         : "2021"
135 |   DONATE                  : "Faites un don de [NAME]."
136 | 
137 | fr-BE:
138 |   <<: *FR
139 | fr-CA:
140 |   <<: *FR
141 | fr-CH:
142 |   <<: *FR
143 | fr-FR:
144 |   <<: *FR
145 | fr-LU:
146 |   <<: *FR
147 | # @end locale config
148 | 


--------------------------------------------------------------------------------
/tools/redhat/redhat_osv/csaf_test.py:
--------------------------------------------------------------------------------
  1 | """Test parsing CSAF v2 advisories"""
  2 | import unittest
  3 | 
  4 | from redhat_osv.csaf import Remediation
  5 | 
  6 | 
  7 | class CSAFTest(unittest.TestCase):
  8 |     """class to handle remediation advice in CSAF data"""
  9 | 
 10 |     def setUp(self):
 11 |         """Set up test data for parameterized tests"""
 12 |         self.test_cases = [{
 13 |             "name":
 14 |             "buildah_module_test",
 15 |             "product_id":
 16 |             ("AppStream-8.4.0.Z.TUS:container-tools:3.0:8040020240104111259:c0c392d5:"
 17 |              "buildah-0:1.19.9-1.module+el8.4.0+21078+a96cfbf6.src"),
 18 |             "cpes": {
 19 |                 "AppStream-8.4.0.Z.TUS": "cpe:/a:redhat:rhel_tus:8.4::appstream"
 20 |             },
 21 |             "purls": {
 22 |                 "buildah-0:1.19.9-1.module+el8.4.0+21078+a96cfbf6.src":
 23 |                 "pkg:rpm/redhat/buildah@1.19.9-1.module%2Bel8.4.0%2B21078%2Ba96cfbf6?arch=src"
 24 |             },
 25 |             "expected_cpe":
 26 |             "cpe:/a:redhat:rhel_tus:8.4::appstream",
 27 |             "expected_purl":
 28 |             ("pkg:rpm/redhat/buildah@1.19.9-1.module%2Bel8.4.0%2B21078%2Ba96cfbf6?arch=src"
 29 |              )
 30 |         }, {
 31 |             "name":
 32 |             "golang_module_test",
 33 |             "product_id":
 34 |             ("AppStream-8.10.0.Z.MAIN.EUS:go-toolset:rhel8:8100020240701064852:fd72936b:"
 35 |              "golang-0:1.21.12-1.module+el8.10.0+20141+6faa2812.src"),
 36 |             "cpes": {
 37 |                 "AppStream-8.10.0.Z.MAIN.EUS":
 38 |                 "cpe:/a:redhat:rhel_eus:8.10::appstream"
 39 |             },
 40 |             "purls": {
 41 |                 "golang-0:1.21.12-1.module+el8.10.0+20141+6faa2812.src":
 42 |                 "pkg:rpm/redhat/golang@1.21.12-1.module%2Bel8.10.0%2B20141%2B6faa2812?arch=src"
 43 |             },
 44 |             "expected_cpe":
 45 |             "cpe:/a:redhat:rhel_eus:8.10::appstream",
 46 |             "expected_purl":
 47 |             ("pkg:rpm/redhat/golang@1.21.12-1.module%2Bel8.10.0%2B20141%2B6faa2812?arch=src"
 48 |              )
 49 |         }, {
 50 |             "name":
 51 |             "hivex_module_test",
 52 |             "product_id":
 53 |             ("AppStream-8.10.0.Z.MAIN.EUS:virt:rhel:8100020240701064852:fd72936b:"
 54 |              "hivex-0:1.3.18-23.module+el8.10.0+20141+6faa2812.src"),
 55 |             "cpes": {
 56 |                 "AppStream-8.10.0.Z.MAIN.EUS":
 57 |                 "cpe:/a:redhat:rhel_eus:8.10::appstream"
 58 |             },
 59 |             "purls": {
 60 |                 "hivex-0:1.3.18-23.module+el8.10.0+20141+6faa2812.src":
 61 |                 "pkg:rpm/redhat/hivex@1.3.18-23.module%2Bel8.10.0%2B20141%2B6faa2812?arch=src"
 62 |             },
 63 |             "expected_cpe":
 64 |             "cpe:/a:redhat:rhel_eus:8.10::appstream",
 65 |             "expected_purl":
 66 |             ("pkg:rpm/redhat/hivex@1.3.18-23.module%2Bel8.10.0%2B20141%2B6faa2812?arch=src"
 67 |              )
 68 |         }, {
 69 |             "name":
 70 |             "simple_package_test",
 71 |             "product_id":
 72 |             "BaseOS-8.10.0.Z.MAIN.EUS:kernel-0:4.18.0-553.16.1.el8_10.src",
 73 |             "cpes": {
 74 |                 "BaseOS-8.10.0.Z.MAIN.EUS":
 75 |                 "cpe:/o:redhat:rhel_eus:8.10::baseos"
 76 |             },
 77 |             "purls": {
 78 |                 "kernel-0:4.18.0-553.16.1.el8_10.src":
 79 |                 "pkg:rpm/redhat/kernel@4.18.0-553.16.1.el8_10?arch=src"
 80 |             },
 81 |             "expected_cpe":
 82 |             "cpe:/o:redhat:rhel_eus:8.10::baseos",
 83 |             "expected_purl":
 84 |             ("pkg:rpm/redhat/kernel@4.18.0-553.16.1.el8_10?arch=src")
 85 |         }, {
 86 |             "name":
 87 |             "slof_csaf_test",
 88 |             "product_id":
 89 |             "CRB-8.10.0.Z.MAIN.EUS:SLOF-20210217-2.module+el8.10.0+20141+6faa2812"
 90 |             ".src.rpm-virt-devel:rhel",
 91 |             "cpes": {
 92 |                 "CRB-8.10.0.Z.MAIN.EUS": "cpe:/a:redhat:enterprise_linux:8::crb"
 93 |             },
 94 |             "purls": {
 95 |                 "SLOF-20210217-2.module+el8.10.0+20141+6faa2812.src.rpm-virt-devel:rhel":
 96 |                 "pkg:rpm/redhat/SLOF@20210217-2.module%2Bel8.10.0%2B20141%2B6faa2812?arch=src&"
 97 |                 "rpmmod=virt-devel:rhel:8100020240704072441:489197e6"
 98 |             },
 99 |             "expected_cpe":
100 |             "cpe:/a:redhat:enterprise_linux:8::crb",
101 |             "expected_purl":
102 |             "pkg:rpm/redhat/SLOF@20210217-2.module%2Bel8.10.0%2B20141%2B"
103 |             "6faa2812?arch=src&rpmmod=virt-devel:rhel:8100020240704072441:489197e6"
104 |         }]
105 | 
106 |     def test_parse_remediation_parameterized(self):
107 |         """Test parsing CSAF Remediations with multiple test cases"""
108 |         for test_case in self.test_cases:
109 |             with self.subTest(test_case=test_case["name"]):
110 |                 result = Remediation(test_case["product_id"], test_case["cpes"],
111 |                                      test_case["purls"])
112 |                 self.assertEqual(result.cpe, test_case["expected_cpe"],
113 |                                  f"CPE mismatch for {test_case['name']}")
114 |                 self.assertEqual(result.purl, test_case["expected_purl"],
115 |                                  f"PURL mismatch for {test_case['name']}")
116 | 
117 | 
118 | if __name__ == '__main__':
119 |     unittest.main()
120 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/pkgchecker/package_check.go:
--------------------------------------------------------------------------------
  1 | package pkgchecker
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"net/http"
  6 | 	"strings"
  7 | 
  8 | 	"github.com/ossf/osv-schema/linter/internal/faulttolerant"
  9 | )
 10 | 
 11 | // Validate the existence of a package in CRAN.
 12 | func existsInCran(pkg string) bool {
 13 | 	ecosystem := "CRAN"
 14 | 	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs[ecosystem], pkg)
 15 | 
 16 | 	return checkPackageExists(packageInstanceURL)
 17 | }
 18 | 
 19 | // Validate the existence of a package in crates.io.
 20 | func existsInCrates(pkg string) bool {
 21 | 	// Handle special case for rust standard library
 22 | 	if pkg == "std" {
 23 | 		return true
 24 | 	}
 25 | 
 26 | 	ecosystem := "crates.io"
 27 | 	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs[ecosystem], pkg)
 28 | 
 29 | 	if isPackageInDepsDev(ecosystem, pkg) {
 30 | 		return true
 31 | 	}
 32 | 
 33 | 	return checkPackageExists(packageInstanceURL)
 34 | }
 35 | 
 36 | // Validate the existence of a package in Go.
 37 | func existsInGo(pkg string) bool {
 38 | 	// Of course the Go runtime exists :-)
 39 | 	if pkg == "stdlib" || pkg == "toolchain" {
 40 | 		return true
 41 | 	}
 42 | 
 43 | 	// The Go Module Proxy seems to require package names to be lowercase.
 44 | 	// GitHub URLs are known to be case-insensitive.
 45 | 	if strings.HasPrefix(pkg, "github.com/") {
 46 | 		pkg = strings.ToLower(pkg)
 47 | 	}
 48 | 
 49 | 	ecosystem := "Go"
 50 | 	packageInstanceURL := fmt.Sprintf("%s/%s/@v/list", EcosystemBaseURLs[ecosystem], pkg)
 51 | 
 52 | 	if isPackageInDepsDev(ecosystem, pkg) {
 53 | 		return true
 54 | 	}
 55 | 
 56 | 	return checkPackageExists(packageInstanceURL)
 57 | }
 58 | 
 59 | // Validate the existence of a package in Hackage.
 60 | func existsInHackage(pkg string) bool {
 61 | 	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs["Hackage"], pkg)
 62 | 
 63 | 	return checkPackageExists(packageInstanceURL)
 64 | }
 65 | 
 66 | // Validate the existence of a package in Hex.
 67 | func existsInHex(pkg string) bool {
 68 | 	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs["Hex"], pkg)
 69 | 
 70 | 	return checkPackageExists(packageInstanceURL)
 71 | }
 72 | 
 73 | // Validate the existence of a package in Julia.
 74 | func existsInJulia(pkg string) bool {
 75 | 	packageInstanceURL := fmt.Sprintf("%s/%s/versions.json", EcosystemBaseURLs["Julia"], pkg)
 76 | 
 77 | 	return checkPackageExists(packageInstanceURL)
 78 | }
 79 | 
 80 | // Validate the existence of a package in Maven.
 81 | func existsInMaven(pkg string) bool {
 82 | 	if !strings.Contains(pkg, ":") {
 83 | 		return false
 84 | 	}
 85 | 	group_id := strings.Split(pkg, ":")[0]
 86 | 	artifact_id := strings.Split(pkg, ":")[1]
 87 | 
 88 | 	ecosystem := "Maven"
 89 | 	packageInstanceURL := fmt.Sprintf("%s/?q=g:%s%%20AND%%20a:%s", EcosystemBaseURLs[ecosystem], group_id, artifact_id)
 90 | 
 91 | 	if isPackageInDepsDev(ecosystem, pkg) {
 92 | 		return true
 93 | 	}
 94 | 
 95 | 	// Needs to use GET instead of HEAD for Maven
 96 | 	resp, err := faulttolerant.Get(packageInstanceURL)
 97 | 	if err != nil {
 98 | 		return false
 99 | 	}
100 | 
101 | 	return resp.StatusCode == http.StatusOK
102 | }
103 | 
104 | // Validate the existence of a package in npm.
105 | func existsInNpm(pkg string) bool {
106 | 	ecosystem := "npm"
107 | 	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs[ecosystem], pkg)
108 | 
109 | 	if isPackageInDepsDev(ecosystem, pkg) {
110 | 		return true
111 | 	}
112 | 
113 | 	return checkPackageExists(packageInstanceURL)
114 | }
115 | 
116 | // Validate the existence of a package in NuGet.
117 | func existsInNuget(pkg string) bool {
118 | 	ecosystem := "NuGet"
119 | 	packageInstanceURL := fmt.Sprintf("%s/%s/index.json", EcosystemBaseURLs[ecosystem], pkg)
120 | 
121 | 	if isPackageInDepsDev(ecosystem, pkg) {
122 | 		return true
123 | 	}
124 | 
125 | 	return checkPackageExists(packageInstanceURL)
126 | }
127 | 
128 | // Validate the existence of a package in Packagist.
129 | func existsInPackagist(pkg string, repo string) bool {
130 | 	packageInstanceURL, err := resolvePackagistPackageInstanceURL(pkg, repo)
131 | 
132 | 	if err != nil {
133 | 		return false
134 | 	}
135 | 
136 | 	return checkPackageExists(packageInstanceURL)
137 | }
138 | 
139 | // Validate the existence of a package in Pub.
140 | func existsInPub(pkg string) bool {
141 | 	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs["Pub"], pkg)
142 | 
143 | 	return checkPackageExists(packageInstanceURL)
144 | }
145 | 
146 | // Validate the existence of a package in PyPI.
147 | func existsInPyPI(pkg string) bool {
148 | 	ecosystem := "PyPI"
149 | 	packageInstanceURL := fmt.Sprintf("%s/%s/json", EcosystemBaseURLs[ecosystem], strings.ToLower(pkg))
150 | 
151 | 	if isPackageInDepsDev(ecosystem, pkg) {
152 | 		return true
153 | 	}
154 | 
155 | 	return checkPackageExists(packageInstanceURL)
156 | }
157 | 
158 | // Validate the existence of a package in RubyGems.
159 | func existsInRubyGems(pkg string) bool {
160 | 	packageInstanceURL := fmt.Sprintf("%s/gems/%s.json", EcosystemBaseURLs["RubyGems"], pkg)
161 | 
162 | 	return checkPackageExists(packageInstanceURL)
163 | }
164 | 
165 | // Makes an HTTP GET request to check package existance, with fault tolerance.
166 | func checkPackageExists(packageInstanceURL string) bool {
167 | 	// This 404's for non-existent packages.
168 | 	resp, err := faulttolerant.Head(packageInstanceURL)
169 | 	if err != nil {
170 | 		return false
171 | 	}
172 | 
173 | 	return resp.StatusCode == http.StatusOK
174 | }
175 | 
176 | func isPackageInDepsDev(ecosystem string, pkg string) bool {
177 | 	url := fmt.Sprintf("https://api.deps.dev/v3/systems/%s/packages/%s", ecosystem, pkg)
178 | 	return checkPackageExists(url)
179 | }
180 | 


--------------------------------------------------------------------------------
/tools/osv-linter/internal/pkgchecker/ecosystems.go:
--------------------------------------------------------------------------------
  1 | package pkgchecker
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | )
  6 | 
  7 | // Ecosystem support is a work in progress.
  8 | var SupportedEcosystems = []string{
  9 | 	"CRAN",
 10 | 	"crates.io",
 11 | 	"Go",
 12 | 	"Hackage",
 13 | 	"Hex",
 14 | 	"Julia",
 15 | 	"Maven",
 16 | 	"npm",
 17 | 	"NuGet",
 18 | 	"Packagist",
 19 | 	"Pub",
 20 | 	"PyPI",
 21 | 	"RubyGems",
 22 | }
 23 | 
 24 | // EcosystemBaseURLs maps ecosystems to their base API URLs.
 25 | var EcosystemBaseURLs = map[string]string{
 26 | 	"CRAN":      "https://crandb.r-pkg.org/",
 27 | 	"crates.io": "https://crates.io/api/v1/crates",
 28 | 	"Go":        "https://proxy.golang.org",
 29 | 	"Hackage":   "https://hackage.haskell.org/package",
 30 | 	"Hex":       "https://hex.pm/api/packages",
 31 | 	"Julia":     "http://juliaregistries.github.io/GeneralMetadata.jl/api",
 32 | 	"Maven":     "https://search.maven.org/solrsearch/select",
 33 | 	"npm":       "https://registry.npmjs.org",
 34 | 	"NuGet":     "https://api.nuget.org/v3-flatcontainer",
 35 | 	"Packagist": "https://repo.packagist.org/p2",
 36 | 	"Pub":       "https://pub.dev/api/packages",
 37 | 	"PyPI":      "https://pypi.org/pypi",
 38 | 	"RubyGems":  "https://rubygems.org/api/v1",
 39 | }
 40 | 
 41 | // Dispatcher for ecosystem-specific package existence checking.
 42 | func ExistsInEcosystem(pkg string, ecosystem string, suffix string) bool {
 43 | 	switch ecosystem {
 44 | 	case "AlmaLinux":
 45 | 		return true
 46 | 	case "Alpine":
 47 | 		return true
 48 | 	case "Android":
 49 | 		return true
 50 | 	case "Bitnami":
 51 | 		return true
 52 | 	case "Chainguard":
 53 | 		return true
 54 | 	case "CRAN":
 55 | 		return existsInCran(pkg)
 56 | 	case "crates.io":
 57 | 		return existsInCrates(pkg)
 58 | 	case "Debian":
 59 | 		return true
 60 | 	case "Echo":
 61 | 		return true
 62 | 	case "GIT":
 63 | 		return true
 64 | 	case "GitHub Actions":
 65 | 		return true
 66 | 	case "Go":
 67 | 		return existsInGo(pkg)
 68 | 	case "GSD":
 69 | 		return true
 70 | 	case "Hackage":
 71 | 		return existsInHackage(pkg)
 72 | 	case "Hex":
 73 | 		return existsInHex(pkg)
 74 | 	case "Julia":
 75 | 		return existsInJulia(pkg)
 76 | 	case "Kubernetes":
 77 | 		return true
 78 | 	case "Linux":
 79 | 		return true
 80 | 	case "Maven":
 81 | 		return existsInMaven(pkg)
 82 | 	case "MinimOS":
 83 | 		return true
 84 | 	case "npm":
 85 | 		return existsInNpm(pkg)
 86 | 	case "NuGet":
 87 | 		return existsInNuget(pkg)
 88 | 	case "openSUSE":
 89 | 		return true
 90 | 	case "OSS-Fuzz":
 91 | 		return true
 92 | 	case "Packagist":
 93 | 		return existsInPackagist(pkg, suffix)
 94 | 	case "Pub":
 95 | 		return existsInPub(pkg)
 96 | 	case "PyPI":
 97 | 		return existsInPyPI(pkg)
 98 | 	case "Red Hat":
 99 | 		return true
100 | 	case "Rocky Linux":
101 | 		return true
102 | 	case "RubyGems":
103 | 		return existsInRubyGems(pkg)
104 | 	case "SUSE":
105 | 		return true
106 | 	case "SwiftURL":
107 | 		return true
108 | 	case "Ubuntu":
109 | 		return true
110 | 	case "UVI":
111 | 		return true
112 | 	case "Wolfi":
113 | 		return true
114 | 	}
115 | 	return false
116 | }
117 | 
118 | // MissingVersionsError describes when specific versions of a package could not be found.
119 | type MissingVersionsError struct {
120 | 	Package   string
121 | 	Ecosystem string
122 | 	Invalid   []string
123 | 	Missing   []string
124 | 	Known     []string
125 | }
126 | 
127 | func (e MissingVersionsError) Error() string {
128 | 	msg := fmt.Sprintf("Failed to find %+q of %q in %q (have: %+q", e.Missing, e.Package, e.Ecosystem, e.Known)
129 | 
130 | 	if len(e.Invalid) > 0 {
131 | 		msg += fmt.Sprintf(", invalid versions: %+q", e.Invalid)
132 | 	}
133 | 
134 | 	msg += ")"
135 | 
136 | 	return msg
137 | }
138 | 
139 | // Dispatcher for ecosystem-specific package version existence checking.
140 | func VersionsExistInEcosystem(pkg string, versions []string, ecosystem string, suffix string) error {
141 | 	switch ecosystem {
142 | 	case "AlmaLinux":
143 | 		return nil
144 | 	case "Alpine":
145 | 		return nil
146 | 	case "Android":
147 | 		return nil
148 | 	case "Bitnami":
149 | 		return nil
150 | 	case "Chainguard":
151 | 		return nil
152 | 	case "CRAN":
153 | 		return versionsExistInCran(pkg, versions)
154 | 	case "crates.io":
155 | 		return versionsExistInCrates(pkg, versions)
156 | 	case "Debian":
157 | 		return nil
158 | 	case "Echo":
159 | 		return nil
160 | 	case "GIT":
161 | 		return nil
162 | 	case "GitHub Actions":
163 | 		return nil
164 | 	case "Go":
165 | 		return versionsExistInGo(pkg, versions)
166 | 	case "GSD":
167 | 		return nil
168 | 	case "Hackage":
169 | 		return versionsExistInHackage(pkg, versions)
170 | 	case "Julia":
171 | 		return versionsExistInJulia(pkg, versions)
172 | 	case "Hex":
173 | 		return versionsExistInHex(pkg, versions)
174 | 	case "Linux":
175 | 		return nil
176 | 	case "Maven":
177 | 		return nil
178 | 	case "MinimOS":
179 | 		return nil
180 | 	case "npm":
181 | 		return versionsExistInNpm(pkg, versions)
182 | 	case "NuGet":
183 | 		return versionsExistInNuGet(pkg, versions)
184 | 	case "openSUSE":
185 | 		return nil
186 | 	case "OSS-Fuzz":
187 | 		return nil
188 | 	case "Packagist":
189 | 		return versionsExistInPackagist(pkg, versions, suffix)
190 | 	case "Pub":
191 | 		return versionsExistInPub(pkg, versions)
192 | 	case "PyPI":
193 | 		return versionsExistInPyPI(pkg, versions)
194 | 	case "Red Hat":
195 | 		return nil
196 | 	case "Rocky Linux":
197 | 		return nil
198 | 	case "RubyGems":
199 | 		return versionsExistInRubyGems(pkg, versions)
200 | 	case "SUSE":
201 | 		return nil
202 | 	case "SwiftURL":
203 | 		return nil
204 | 	case "Ubuntu":
205 | 		return nil
206 | 	case "UVI":
207 | 		return nil
208 | 	case "Wolfi":
209 | 		return nil
210 | 	}
211 | 	return fmt.Errorf("unsupported ecosystem: %s", ecosystem)
212 | }
213 | 


--------------------------------------------------------------------------------
/tools/osv-linter/README.md:
--------------------------------------------------------------------------------
  1 | # OSV Record Linter
  2 | 
  3 | A tool for performing data quality checks on OSV records, individually and in aggregate.
  4 | 
  5 | ## Vision
  6 | 
  7 | * OSV record producers are able to run a tool on records they publish, as part of their record publishing pipeline, to discover any data quality issues that might negatively impact the utility of the record by downstream users
  8 | * OSV.dev has a repeatable and transparent mechanism for maintaining a quality bar above and beyond what JSON Schema validation enables
  9 | * Interested parties can contribute additional checks
 10 | * Interested parties may conduct analyses across OSV records in aggregate
 11 | 
 12 | Inspired by [github.com/mprpic/cvelint](https://github.com/mprpic/cvelint), and under active development.
 13 | 
 14 | ### TODO
 15 | 
 16 | * Define and implement a machine-readable format for check results to facilitate integration
 17 |   * Today, a non-zero return code is the coarse-grained indicator of correctness
 18 | * Add a flag to specify checks to be ignored
 19 | 
 20 | ## Usage
 21 | 
 22 | ```text
 23 | $ go run ./cmd/osv/ record lint --help
 24 | NAME:
 25 |    osv record lint - check OSV records for correctness
 26 | 
 27 | USAGE:
 28 |    osv record lint [command options]
 29 | 
 30 | OPTIONS:
 31 |    --verbose                                  verbose output (default: false)
 32 |    --collection value                         check collection to use (use 'list' to see) (default: "ALL")
 33 |    --checks value [ --checks value ]          explicitly run a specific check (use 'list' to see)
 34 |    --ecosystems value [ --ecosystems value ]  the ecosystems to constrain package checks to (use 'list' to see)
 35 |    --help, -h                                 show help
 36 | ```
 37 | 
 38 | ```text
 39 | $ go run ./cmd/osv record lint testdata
 40 | testdata/nointroduced-CVE-2023-41045.json:
 41 |          * [RNG:001]: missing 'introduced' object in event
 42 | testdata/nondistinct-CVE-2018-5407.json:
 43 |          * [RNG:002]: overlapping event: "e818b74be2170fbe957a07b0da4401c2b694b3b8"
 44 | 2024/10/22 00:04:23 found errors
 45 | exit status 1
 46 | ```
 47 | 
 48 | ```text
 49 | $ go run ./cmd/osv/ record lint --checks list
 50 | Available checks:
 51 | 
 52 | REC:001: (affected-data-exists): every record has affected data
 53 | REC:002: (valid-aliases): aliases field validates
 54 | REC:003: (valid-upstream): upstream field validates
 55 | REC:004: (valid-related): related field validates
 56 | RNG:001: (introduced-event-exists): every range has an introduced event
 57 | RNG:002: (range-is-distinct): range spans multiple versions/commits
 58 | PKG:001: (package-exists): package exists in ecosystem's registry
 59 | PKG:002: (package-versions-exist): package versions exist in ecosystem's registry
 60 | PKG:003: (package-purl-valid): package purl validates
 61 | ```
 62 | 
 63 | ```text
 64 | $ go run ./cmd/osv/ record lint --collection list
 65 | Available check collections:
 66 | 
 67 | ALL: all checks currently defined
 68 |         REC:001: (affected-data-exists): every record has affected data
 69 |         REC:002: (valid-aliases): aliases field validates
 70 |         REC:003: (valid-upstream): upstream field validates
 71 |         REC:004: (valid-related): related field validates
 72 |         RNG:001: (introduced-event-exists): every range has an introduced event
 73 |         RNG:002: (range-is-distinct): range spans multiple versions/commits
 74 |         PKG:001: (package-exists): package exists in ecosystem's registry
 75 |         PKG:002: (package-versions-exist): package versions exist in ecosystem's registry
 76 |         PKG:003: (package-purl-valid): package purl validates
 77 | offline: Checks that do not have remote data dependencies. These can be run without network access.
 78 |         REC:001: (affected-data-exists): every record has affected data
 79 |         REC:002: (valid-aliases): aliases field validates
 80 |         REC:003: (valid-upstream): upstream field validates
 81 |         REC:004: (valid-related): related field validates
 82 |         RNG:001: (introduced-event-exists): every range has an introduced event
 83 |         RNG:002: (range-is-distinct): range spans multiple versions/commits
 84 |         PKG:003: (package-purl-valid): package purl validates
 85 | fatal: Checks considered critical. Failures indicate fundamental issues with the OSV record.
 86 |         REC:001: (affected-data-exists): every record has affected data
 87 |         REC:002: (valid-aliases): aliases field validates
 88 |         REC:003: (valid-upstream): upstream field validates
 89 |         RNG:002: (range-is-distinct): range spans multiple versions/commits
 90 | ```
 91 | 
 92 | ## Contributing
 93 | 
 94 | Contributions are very welcome!
 95 | 
 96 | Checks should be as atomic as possible.
 97 | 
 98 | ### Adding checks
 99 | 
100 | * Define in `internal/checks`, based on the nature of the check
101 |   * `packages.go`
102 |   * `ranges.go`
103 |   * `record.go`
104 |   * Define a new variable of type `&CheckDef`, in the name format `Check` + *thing* + *assertion* (where *thing* is field of an OSV record and *assertion* is what is being checked)
105 |   * Implement a function that takes a `*gjson.Result` and a `*Config` and returns `[]CheckError`
106 |     * Include tests and sample records that both pass and fail this check
107 | * Add the new `&CheckDef` variable to `Collections` in `internal/checks/checks.go`
108 | * See [#295](https://github.com/ossf/osv-schema/pull/295) for a worked example
109 | 
110 | ### Additional references
111 | 
112 | * [Open Source Vulnerability schema](https://ossf.github.io/osv-schema/)
113 | * [Properties of a High Quality OSV Record](https://google.github.io/osv.dev/data_quality.html)
114 | * [GJSON](https://github.com/tidwall/gjson)
115 |   * [Go package](https://pkg.go.dev/github.com/tidwall/gjson)
116 |   * [Syntax](https://github.com/tidwall/gjson/blob/master/SYNTAX.md)
117 |   * [Playground](https://gjson.dev/)
118 | 


--------------------------------------------------------------------------------
/tools/debian/first_package_finder.py:
--------------------------------------------------------------------------------
  1 | """Functions to help find the first package version for a specific release"""
  2 | import argparse
  3 | import os
  4 | import typing
  5 | import urllib.error
  6 | from datetime import datetime, timedelta
  7 | import json
  8 | import gzip
  9 | from urllib import request
 10 | 
 11 | import pandas as pd
 12 | 
 13 | DEBIAN_RELEASE_VERSIONS_URL = \
 14 |   'https://debian.pages.debian.net/distro-info-data/debian.csv'
 15 | DEBIAN_SNAPSHOT_URL = 'https://snapshot.debian.org/archive/debian/{date}/dists/'
 16 | # `.gz` format always exist for all snapshots
 17 | DEBIAN_SOURCES_URL_EXTENSION = '{version}/main/source/Sources.gz'
 18 | 
 19 | # List of ignored versions, mostly too early to be in snapshots
 20 | IGNORED_DEBIAN_VERSIONS = frozenset(
 21 |     ['experimental', 'buzz', 'rex', 'bo', 'hamm', 'slink', 'potato'])
 22 | 
 23 | # Number of days to search (day by day) if the initial date returns 404
 24 | FIRST_RELEASE_LOOKAHEAD_DAYS = 10
 25 | 
 26 | # First snapshot date for Debian
 27 | FIRST_SNAPSHOT_DATE = datetime(2005, 3, 12)
 28 | 
 29 | # Prefixes used in the Sources file
 30 | PACKAGE_KEY = 'Package: '
 31 | VERSION_KEY = 'Version: '
 32 | 
 33 | 
 34 | def get_debian_dists_url(date: datetime):
 35 |   """Create an url for snapshot.debian.org to get distribution"""
 36 |   formatted_date = convert_datetime_to_str_datetime(date)
 37 |   return DEBIAN_SNAPSHOT_URL.format(date=formatted_date)
 38 | 
 39 | 
 40 | def get_debian_sources_url(date: datetime, version: str):
 41 |   """Create an url for snapshot.debian.org"""
 42 |   formatted_date = convert_datetime_to_str_datetime(date)
 43 | 
 44 |   return DEBIAN_SNAPSHOT_URL.format(
 45 |       date=formatted_date) + DEBIAN_SOURCES_URL_EXTENSION.format(
 46 |           version=version)
 47 | 
 48 | 
 49 | def convert_datetime_to_str_datetime(input_datetime: datetime) -> str:
 50 |   """Convert datetime object to debian snapshot url string"""
 51 |   return input_datetime.isoformat().replace('-', '').replace(':', '') + 'Z'
 52 | 
 53 | 
 54 | def retrieve_codename_to_version() -> pd.DataFrame:
 55 |   """Returns the codename to version mapping"""
 56 |   with request.urlopen(DEBIAN_RELEASE_VERSIONS_URL) as csv:
 57 |     df = pd.read_csv(csv, dtype=str)
 58 |     # `series` appears to be `codename` but with no caps
 59 |     df['sources'] = ''
 60 |     df.dropna(subset=['release'], inplace=True)
 61 |     codename_to_version = df.set_index('series')
 62 | 
 63 |   return codename_to_version
 64 | 
 65 | 
 66 | def parse_created_dates_and_set_time(date: str) -> datetime:
 67 |   """Parse created date in debian version csv to datetime plus one day"""
 68 |   result = datetime.strptime(date, '%Y-%m-%d') + timedelta(days=1)
 69 |   # Set minimum date to first debian snapshot
 70 |   return max(result, FIRST_SNAPSHOT_DATE)
 71 | 
 72 | 
 73 | def load_sources(date: datetime, dist: str) -> typing.Dict[str, str]:
 74 |   """Load the sources file and store in a dictionary of {name: version}"""
 75 |   with request.urlopen(get_debian_sources_url(date, dist)) as res:
 76 |     decompressed = gzip.decompress(res.read()).decode('iso-8859-2')
 77 |     package_version_dict = {}
 78 |     current_package = None
 79 |     for line in decompressed.splitlines():
 80 |       if line.startswith(PACKAGE_KEY):
 81 |         current_package = line[len(PACKAGE_KEY):]
 82 |         continue
 83 | 
 84 |       if line.startswith(VERSION_KEY):
 85 |         package_version_dict[current_package] = line[len(VERSION_KEY):]
 86 |         continue
 87 | 
 88 |     return package_version_dict
 89 | 
 90 | 
 91 | def load_first_packages() -> pd.DataFrame:
 92 |   """Loads the dataframe containing the first version of packages per distro"""
 93 |   codename_to_version: pd.DataFrame = retrieve_codename_to_version()
 94 | 
 95 |   first_release_dates = zip(
 96 |       codename_to_version.index,
 97 |       codename_to_version['release'].map(parse_created_dates_and_set_time))
 98 | 
 99 |   first_release_dict: typing.Dict[str, datetime] = dict(
100 |       x for x in first_release_dates if x[0] not in IGNORED_DEBIAN_VERSIONS)
101 | 
102 |   for version, date in first_release_dict.items():
103 |     # retry for n days into the future if the first request doesn't work
104 |     for i in range(FIRST_RELEASE_LOOKAHEAD_DAYS + 1):
105 |       actual_date = date + timedelta(days=i)
106 |       try:
107 |         codename_to_version.loc[version].sources = load_sources(
108 |             actual_date, version)
109 |         break
110 |       except urllib.error.HTTPError as http_error:
111 |         if http_error.code != 404:
112 |           raise
113 |         # Expect 404 errors for releases before snapshot exists
114 | 
115 |       if actual_date > datetime.utcnow():
116 |         # No need to keep trying future dates
117 |         break
118 | 
119 |   return codename_to_version
120 | 
121 | 
122 | def get_first_package_version(first_pkg_data: pd.DataFrame, package_name: str,
123 |                               release_name: str) -> str:
124 |   """Get first package version"""
125 |   try:
126 |     return first_pkg_data.loc[release_name].sources[package_name]
127 |   except KeyError:
128 |     # The package is not added when the image is first seen.
129 |     # So it is safe to return 0, indicating the earliest version
130 |     # given by the snapshot API
131 |     return '0'
132 | 
133 | 
134 | def main():
135 |   parser = argparse.ArgumentParser(description='Detects all first versions')
136 |   parser.add_argument(
137 |       '-o',
138 |       '--output-dir',
139 |       default='first_package_output',
140 |       help='Output folder')
141 |   args = parser.parse_args()
142 | 
143 |   dataframe = load_first_packages()
144 |   version_to_sources = dict(zip(dataframe['version'], dataframe['sources']))
145 | 
146 |   os.makedirs(args.output_dir, exist_ok=True)
147 |   for version, sources in version_to_sources.items():
148 |     versions_path = os.path.join(args.output_dir, version + '.json')
149 |     with open(versions_path, 'w') as handle:
150 |       handle.write(json.dumps(sources))
151 | 
152 | 
153 | if __name__ == '__main__':
154 |   main()
155 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Open Source Vulnerability (OSV) Schema
  2 | 
  3 | [Rendered Specification](https://ossf.github.io/osv-schema/)
  4 | 
  5 | ## Overview
  6 | 
  7 | The OSV schema provides a human and machine-readable format to describe vulnerabilities that map precisely to open source package versions or commit hashes. It is used by multiple distributions and advisory databases and is the canonical format aggregated by <https://osv.dev>.
  8 | 
  9 | ## Quick links
 10 | 
 11 | - Specification (rendered): <https://ossf.github.io/osv-schema/>
 12 | - JSON Schema: [schema.json](schema.json)
 13 | - Protocol buffer definition: [proto/vulnerability.proto](proto/vulnerability.proto)
 14 | - Tools and converters: [tools/](tools)
 15 | 
 16 | ## Getting started
 17 | 
 18 | Installers and consumers typically use one of the available converters or the rendered spec above. Example data sources that export or convert to OSV include many distro and advisory projects (AlmaLinux, Debian, PyPI advisories, RustSec, etc.). See the `tools/` directory for converters maintained alongside this repo.
 19 | 
 20 | ## Using the schema
 21 | 
 22 | Common tasks:
 23 | 
 24 | - Validate a file against the JSON schema: `scripts/validate-schema-table.py` and `schema.json`.
 25 | - Convert vendor-specific advisories: see `tools/` subfolders (e.g., `tools/debian`, `tools/ghsa`).
 26 | - Generate Protobuf types: `proto/vulnerability.proto` contains the canonical proto.
 27 | 
 28 | ## Adoption
 29 | 
 30 | There are many home databases publishing OSV-format advisories or maintain converters:
 31 | 
 32 | - [AlmaLinux](https://github.com/AlmaLinux/osv-database)
 33 | - [BellSoft Security Advisory](https://github.com/bell-sw/osv-database)
 34 | - [Bitnami Vulnerability Database](https://github.com/bitnami/vulndb)
 35 | - [Chainguard](https://packages.cgr.dev/chainguard/osv/all.json)
 36 | - [CleanStart](https://github.com/cleanstart-dev/cleanstart-security-advisories)
 37 | - [Curl](https://curl.se/docs/vuln.json)
 38 | - [Echo](https://advisory.echohq.com/osv/all.json)
 39 | - [GitHub Security Advisories](https://github.com/github/advisory-database)
 40 | - [Global Security Database](https://github.com/cloudsecurityalliance/gsd-database)
 41 | - [Go Vulnerability Database](https://github.com/golang/vulndb)
 42 | - [Haskell Security Advisories](https://github.com/haskell/security-advisories)
 43 | - [Julia Security Advisories](https://github.com/JuliaLang/SecurityAdvisories.jl)
 44 | - [LoopBack Advisory Database](https://github.com/loopbackio/security/tree/main/advisories)
 45 | - [Malicious Packages Repository](https://github.com/ossf/malicious-packages)
 46 | - [Mageia Advisories](https://advisories.mageia.org/)
 47 | - [MinimOS](https://packages.mini.dev/advisories/osv/all.json)
 48 | - [OCaml](https://github.com/ocaml/security-advisories)
 49 | - [openEuler](https://repo.openeuler.org/security/data)
 50 | - [OSS-Fuzz](https://github.com/google/oss-fuzz-vulns)
 51 | - [OSV.dev maintained converters](https://github.com/google/osv.dev#current-data-sources) (Debian, Alpine, NVD)
 52 | - [PyPI Advisory Database](https://github.com/pypa/advisory-database)
 53 | - [Python Software Foundation Database](https://github.com/psf/advisory-database)
 54 | - [RConsortium Advisory Database](https://github.com/RConsortium/r-advisory-database)
 55 | - [Red Hat](https://security.access.redhat.com/data)
 56 | - [Rocky Linux](https://distro-tools.rocky.page/apollo/openapi/#osv)
 57 | - [Rust Advisory Database](https://github.com/RustSec/advisory-db)
 58 | - [SUSE](https://www.suse.com/support/security/)
 59 | - [Ubuntu](https://github.com/canonical/ubuntu-security-notices/)
 60 | - [VMWare Photon OS](https://github.com/vmware/photon/wiki/Security-Advisories) (unofficial)
 61 | 
 62 | Together, these include vulnerabilities from:
 63 | 
 64 | - AlmaLinux
 65 | - Alpine
 66 | - Alpaquita Linux
 67 | - Android
 68 | - BellSoft Hardened Containers
 69 | - Bitnami
 70 | - Chainguard
 71 | - CleanStart
 72 | - crates.io
 73 | - Debian GNU/Linux
 74 | - Docker
 75 | - Echo
 76 | - Erlang Ecosystem Foundation
 77 | - FreeBSD
 78 | - GitHub Actions
 79 | - Go
 80 | - Haskell
 81 | - Hex
 82 | - Julia
 83 | - Linux kernel
 84 | - Mageia
 85 | - Maven
 86 | - MinimOS
 87 | - npm
 88 | - NuGet
 89 | - OCaml
 90 | - openEuler
 91 | - openSUSE
 92 | - OSS-Fuzz
 93 | - Packagist
 94 | - Photon OS
 95 | - Pub
 96 | - PyPI
 97 | - Python
 98 | - R (CRAN and Bioconductor)
 99 | - Red Hat
100 | - SUSE
101 | - Rocky Linux
102 | - RubyGems
103 | - Ubuntu
104 | 
105 | See the repository history and the `tools/` subdirectories for more examples and testdata.
106 | 
107 | ## Development
108 | 
109 | Prerequisites:
110 | 
111 | - Python 3 for scripts in `tools/` and `scripts/`.
112 | - (Optional) Go for components under `bindings/go`.
113 | 
114 | Common development tasks:
115 | 
116 | - Run schema validation: `python3 scripts/validate-schema-table.py` (see script for usage).
117 | - Run converter tests: check subdirectories in `tools/*/` for test instructions.
118 | 
119 | ## Contributing
120 | 
121 | We welcome contributions. Please follow the repository's contributor guidelines and code of conduct:
122 | 
123 | - [CONTRIBUTING.md](CONTRIBUTING.md)
124 | - [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)
125 | 
126 | If you find a bug or want to request a feature, open an issue in this repository.
127 | 
128 | ## Community and support
129 | 
130 | Join the OpenSSF Slack channel `#osv_schema` (Slack invite: <https://slack.openssf.org/>) to discuss the schema and tooling.
131 | 
132 | ## Maintainers
133 | 
134 | This repository is maintained by the OpenSSF Vulnerability Disclosures Working Group. See the repository `CODEOWNERS` for current maintainers.
135 | 
136 | ## License
137 | 
138 | This project is licensed under the terms in the repository `LICENSE` file.
139 | 
140 | ## Security
141 | 
142 | To report a security issue, follow the instructions in `SECURITY.md`.
143 | 
144 | ## Acknowledgements
145 | 
146 | OSV Schema is used and supported by many projects and ecosystems. See the rendered specification and the `tools/` directory for a (non-exhaustive) list of converters and consumers.
147 | 


--------------------------------------------------------------------------------
/tools/redhat/testdata/OSV/RHSA-2024_4546.json:
--------------------------------------------------------------------------------
  1 | {
  2 |   "schema_version": "1.7.0",
  3 |   "id": "RHSA-2024:4546",
  4 |   "related": [
  5 |     "GO-2024-2687"
  6 |   ],
  7 |   "upstream": [
  8 |     "CVE-2023-45288"
  9 |   ],
 10 |   "published": "2024-09-02T14:30:00Z",
 11 |   "modified": "2024-09-02T14:30:00Z",
 12 |   "summary": "Red Hat Security Advisory: git-lfs security update",
 13 |   "severity": [
 14 |     {
 15 |       "type": "CVSS_V3",
 16 |       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
 17 |     }
 18 |   ],
 19 |   "affected": [
 20 |     {
 21 |       "package": {
 22 |         "name": "git-lfs",
 23 |         "ecosystem": "Red Hat:rhel_aus:8.6::appstream",
 24 |         "purl": "pkg:rpm/redhat/git-lfs"
 25 |       },
 26 |       "ranges": [
 27 |         {
 28 |           "type": "ECOSYSTEM",
 29 |           "events": [
 30 |             {
 31 |               "introduced": "0"
 32 |             },
 33 |             {
 34 |               "fixed": "0:2.13.3-3.el8_6.1"
 35 |             }
 36 |           ]
 37 |         }
 38 |       ]
 39 |     },
 40 |     {
 41 |       "package": {
 42 |         "name": "git-lfs-debuginfo",
 43 |         "ecosystem": "Red Hat:rhel_aus:8.6::appstream",
 44 |         "purl": "pkg:rpm/redhat/git-lfs-debuginfo"
 45 |       },
 46 |       "ranges": [
 47 |         {
 48 |           "type": "ECOSYSTEM",
 49 |           "events": [
 50 |             {
 51 |               "introduced": "0"
 52 |             },
 53 |             {
 54 |               "fixed": "0:2.13.3-3.el8_6.1"
 55 |             }
 56 |           ]
 57 |         }
 58 |       ]
 59 |     },
 60 |     {
 61 |       "package": {
 62 |         "name": "git-lfs-debugsource",
 63 |         "ecosystem": "Red Hat:rhel_aus:8.6::appstream",
 64 |         "purl": "pkg:rpm/redhat/git-lfs-debugsource"
 65 |       },
 66 |       "ranges": [
 67 |         {
 68 |           "type": "ECOSYSTEM",
 69 |           "events": [
 70 |             {
 71 |               "introduced": "0"
 72 |             },
 73 |             {
 74 |               "fixed": "0:2.13.3-3.el8_6.1"
 75 |             }
 76 |           ]
 77 |         }
 78 |       ]
 79 |     },
 80 |     {
 81 |       "package": {
 82 |         "name": "git-lfs",
 83 |         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
 84 |         "purl": "pkg:rpm/redhat/git-lfs"
 85 |       },
 86 |       "ranges": [
 87 |         {
 88 |           "type": "ECOSYSTEM",
 89 |           "events": [
 90 |             {
 91 |               "introduced": "0"
 92 |             },
 93 |             {
 94 |               "fixed": "0:2.13.3-3.el8_6.1"
 95 |             }
 96 |           ]
 97 |         }
 98 |       ]
 99 |     },
100 |     {
101 |       "package": {
102 |         "name": "git-lfs-debuginfo",
103 |         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
104 |         "purl": "pkg:rpm/redhat/git-lfs-debuginfo"
105 |       },
106 |       "ranges": [
107 |         {
108 |           "type": "ECOSYSTEM",
109 |           "events": [
110 |             {
111 |               "introduced": "0"
112 |             },
113 |             {
114 |               "fixed": "0:2.13.3-3.el8_6.1"
115 |             }
116 |           ]
117 |         }
118 |       ]
119 |     },
120 |     {
121 |       "package": {
122 |         "name": "git-lfs-debugsource",
123 |         "ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
124 |         "purl": "pkg:rpm/redhat/git-lfs-debugsource"
125 |       },
126 |       "ranges": [
127 |         {
128 |           "type": "ECOSYSTEM",
129 |           "events": [
130 |             {
131 |               "introduced": "0"
132 |             },
133 |             {
134 |               "fixed": "0:2.13.3-3.el8_6.1"
135 |             }
136 |           ]
137 |         }
138 |       ]
139 |     },
140 |     {
141 |       "package": {
142 |         "name": "git-lfs",
143 |         "ecosystem": "Red Hat:rhel_tus:8.6::appstream",
144 |         "purl": "pkg:rpm/redhat/git-lfs"
145 |       },
146 |       "ranges": [
147 |         {
148 |           "type": "ECOSYSTEM",
149 |           "events": [
150 |             {
151 |               "introduced": "0"
152 |             },
153 |             {
154 |               "fixed": "0:2.13.3-3.el8_6.1"
155 |             }
156 |           ]
157 |         }
158 |       ]
159 |     },
160 |     {
161 |       "package": {
162 |         "name": "git-lfs-debuginfo",
163 |         "ecosystem": "Red Hat:rhel_tus:8.6::appstream",
164 |         "purl": "pkg:rpm/redhat/git-lfs-debuginfo"
165 |       },
166 |       "ranges": [
167 |         {
168 |           "type": "ECOSYSTEM",
169 |           "events": [
170 |             {
171 |               "introduced": "0"
172 |             },
173 |             {
174 |               "fixed": "0:2.13.3-3.el8_6.1"
175 |             }
176 |           ]
177 |         }
178 |       ]
179 |     },
180 |     {
181 |       "package": {
182 |         "name": "git-lfs-debugsource",
183 |         "ecosystem": "Red Hat:rhel_tus:8.6::appstream",
184 |         "purl": "pkg:rpm/redhat/git-lfs-debugsource"
185 |       },
186 |       "ranges": [
187 |         {
188 |           "type": "ECOSYSTEM",
189 |           "events": [
190 |             {
191 |               "introduced": "0"
192 |             },
193 |             {
194 |               "fixed": "0:2.13.3-3.el8_6.1"
195 |             }
196 |           ]
197 |         }
198 |       ]
199 |     }
200 |   ],
201 |   "references": [
202 |     {
203 |       "type": "ADVISORY",
204 |       "url": "https://access.redhat.com/errata/RHSA-2024:4546"
205 |     },
206 |     {
207 |       "type": "ARTICLE",
208 |       "url": "https://access.redhat.com/security/updates/classification/#important"
209 |     },
210 |     {
211 |       "type": "REPORT",
212 |       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268273"
213 |     },
214 |     {
215 |       "type": "ADVISORY",
216 |       "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4546.json"
217 |     },
218 |     {
219 |       "type": "REPORT",
220 |       "url": "https://access.redhat.com/security/cve/CVE-2023-45288"
221 |     },
222 |     {
223 |       "type": "ADVISORY",
224 |       "url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
225 |     },
226 |     {
227 |       "type": "ADVISORY",
228 |       "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288"
229 |     },
230 |     {
231 |       "type": "ARTICLE",
232 |       "url": "https://nowotarski.info/http2-continuation-flood/"
233 |     },
234 |     {
235 |       "type": "ADVISORY",
236 |       "url": "https://pkg.go.dev/vuln/GO-2024-2687"
237 |     },
238 |     {
239 |       "type": "ADVISORY",
240 |       "url": "https://www.kb.cert.org/vuls/id/421644"
241 |     }
242 |   ]
243 | }


--------------------------------------------------------------------------------
/tools/osv-linter/internal/checks/packages.go:
--------------------------------------------------------------------------------
  1 | package checks
  2 | 
  3 | import (
  4 | 	"fmt"
  5 | 	"slices"
  6 | 	"strings"
  7 | 
  8 | 	"github.com/ossf/osv-schema/linter/internal/pkgchecker"
  9 | 	"github.com/package-url/packageurl-go"
 10 | 	"github.com/tidwall/gjson"
 11 | )
 12 | 
 13 | var CheckPackageExists = &CheckDef{
 14 | 	Code:        "PKG:001",
 15 | 	Name:        "package-exists",
 16 | 	Description: "package exists in ecosystem's registry",
 17 | 	Check:       PackageExists,
 18 | }
 19 | 
 20 | type Package struct {
 21 | 	Ecosystem string
 22 | 	Name      string
 23 | }
 24 | 
 25 | // PackageExists checks the package exists in the registry for that ecosystem.
 26 | func PackageExists(json *gjson.Result, config *Config) (findings []CheckError) {
 27 | 	affectedEntries := json.Get("affected")
 28 | 
 29 | 	knownExistent := make(map[Package]bool)
 30 | 	knownNonexistent := make(map[Package]bool)
 31 | 
 32 | 	// Examine each entry:
 33 | 	// for ones for packages, on a per-package basis
 34 | 	affectedEntries.ForEach(func(key, value gjson.Result) bool {
 35 | 		// If it has a package field, it's for a package, otherwise confirm the range is of type GIT.
 36 | 		maybePackage := value.Get("package")
 37 | 		if !maybePackage.Exists() {
 38 | 			return true // keep iterating (over affected entries)
 39 | 		}
 40 | 		// Separate out the ecosystem and its suffix e.g. "Alpine:v3.5" -> "Alpine"
 41 | 		ecosystem, suffix, _ := strings.Cut(value.Get("package.ecosystem").String(), ":")
 42 | 		// Use config.Ecosystems as an allowlist, if it is set.
 43 | 		if len(config.Ecosystems) > 0 && !slices.Contains(config.Ecosystems, ecosystem) {
 44 | 			return true // keep iterating (over affected entries)
 45 | 		}
 46 | 		pkg := value.Get("package.name").String()
 47 | 
 48 | 		// Avoid unnecessary network traffic for repeat packages.
 49 | 		if _, ok := knownExistent[Package{Ecosystem: ecosystem, Name: pkg}]; ok {
 50 | 			return true // keep iterating (over affected entries)
 51 | 		}
 52 | 		if _, ok := knownNonexistent[Package{Ecosystem: ecosystem, Name: pkg}]; ok {
 53 | 			return true // keep iterating (over affected entries)
 54 | 		}
 55 | 		// Not cached, determine existence.
 56 | 		if !pkgchecker.ExistsInEcosystem(pkg, ecosystem, suffix) {
 57 | 			if !config.NewEcosystem {
 58 | 				findings = append(findings, CheckError{Message: fmt.Sprintf("package %q not found in %q", pkg, ecosystem)})
 59 | 			}
 60 | 			knownNonexistent[Package{Ecosystem: ecosystem, Name: pkg}] = true
 61 | 		} else {
 62 | 			knownExistent[Package{Ecosystem: ecosystem, Name: pkg}] = true
 63 | 		}
 64 | 		return true // keep iterating (over affected entries)
 65 | 	})
 66 | 	return findings
 67 | }
 68 | 
 69 | var CheckPackageVersionsExist = &CheckDef{
 70 | 	Code:        "PKG:002",
 71 | 	Name:        "package-versions-exist",
 72 | 	Description: "package versions exist in ecosystem's registry",
 73 | 	Check:       PackageVersionsExist,
 74 | }
 75 | 
 76 | // PackageVersionsExist checks the package versions exist in the registry for that ecosystem.
 77 | func PackageVersionsExist(json *gjson.Result, config *Config) (findings []CheckError) {
 78 | 	affectedEntries := json.Get("affected")
 79 | 
 80 | 	// Examine each affected entry:
 81 | 	// for ones for packages, on a per-package basis
 82 | 	affectedEntries.ForEach(func(key, value gjson.Result) bool {
 83 | 		// If it has a package field, it's for a package, otherwise confirm the range is of type GIT.
 84 | 		maybePackage := value.Get("package")
 85 | 		if !maybePackage.Exists() {
 86 | 			return true // keep iterating (over affected entries)
 87 | 		}
 88 | 		// Separate out the ecosystem and its suffix e.g. "Alpine:v3.5" -> "Alpine"
 89 | 		ecosystem, suffix, _ := strings.Cut(value.Get("package.ecosystem").String(), ":")
 90 | 		// Use config.Ecosystems as an allowlist, if it is set.
 91 | 		if len(config.Ecosystems) != 0 && !slices.Contains(config.Ecosystems, ecosystem) {
 92 | 			return true // keep iterating (over affected entries)
 93 | 		}
 94 | 		pkg := value.Get("package.name").String()
 95 | 		versionsToCheck := []string{}
 96 | 		// Examine versions in ranges.
 97 | 		maybeRanges := value.Get("ranges")
 98 | 		maybeRanges.ForEach(func(key, value gjson.Result) bool {
 99 | 			rangeType := value.Get("type").String()
100 | 			if rangeType == "GIT" {
101 | 				return true // keep iterating (over ranges)
102 | 			}
103 | 			events := value.Get("events")
104 | 			events.ForEach(func(key, value gjson.Result) bool {
105 | 				// Collect all the introduced values.
106 | 				result := value.Get("introduced")
107 | 				if result.Exists() && result.String() != "0" {
108 | 					versionsToCheck = append(versionsToCheck, result.String())
109 | 				}
110 | 				// Collect all the fixed/last_affected values.
111 | 				result = value.Get("fixed")
112 | 				if result.Exists() {
113 | 					versionsToCheck = append(versionsToCheck, result.String())
114 | 				}
115 | 				result = value.Get("last_affected")
116 | 				if result.Exists() {
117 | 					versionsToCheck = append(versionsToCheck, result.String())
118 | 				}
119 | 				return true // keep iterating (over events)
120 | 			})
121 | 			return true // keep iterating (over ranges)
122 | 		})
123 | 		// Examine versions in versions array.
124 | 		maybeVersions := value.Get("versions")
125 | 		maybeVersions.ForEach(func(key, value gjson.Result) bool {
126 | 			versionsToCheck = append(versionsToCheck, value.String())
127 | 			return true // keep iterating (over versions)
128 | 		})
129 | 		err := pkgchecker.VersionsExistInEcosystem(pkg, versionsToCheck, ecosystem, suffix)
130 | 		if err != nil {
131 | 			if config.NewEcosystem && strings.Contains(err.Error(), "unsupported ecosystem") {
132 | 				return true // keep iterating
133 | 			}
134 | 			findings = append(findings, CheckError{Message: err.Error()})
135 | 		}
136 | 
137 | 		return true // keep iterating (over affected entries)
138 | 	})
139 | 	return findings
140 | }
141 | 
142 | var CheckPackagePurlValid = &CheckDef{
143 | 	Code:        "PKG:003",
144 | 	Name:        "package-purl-valid",
145 | 	Description: "package purl validates",
146 | 	Check:       PackagePurlValid,
147 | }
148 | 
149 | // PackagePurlValid checks the package purls validate.
150 | func PackagePurlValid(json *gjson.Result, config *Config) (findings []CheckError) {
151 | 	affectedEntries := json.Get("affected")
152 | 
153 | 	// Examine each affected entry:
154 | 	// for ones for packages, on a per-package basis
155 | 	affectedEntries.ForEach(func(key, value gjson.Result) bool {
156 | 		// If it has a package field, it's for a package, otherwise confirm the range is of type GIT.
157 | 		maybePackage := value.Get("package")
158 | 		if !maybePackage.Exists() {
159 | 			return true // keep iterating (over affected entries)
160 | 		}
161 | 		purl := value.Get("package.purl")
162 | 		if !purl.Exists() {
163 | 			return true // keep iterating (over affected entries)
164 | 		}
165 | 
166 | 		_, err := packageurl.FromString(purl.String())
167 | 		if err != nil {
168 | 			// Add a version placeholder, as some ecosystem requires one.
169 | 			purlWithVersion := purl.String() + "@version"
170 | 			_, err = packageurl.FromString(purlWithVersion)
171 | 			if err != nil {
172 | 				findings = append(findings, CheckError{Message: fmt.Sprintf("Invalid Purl %q: %v", purl.String(), err)})
173 | 			}
174 | 		}
175 | 
176 | 		return true // keep iterating (over affected entries)
177 | 	})
178 | 	return findings
179 | }
180 | 


--------------------------------------------------------------------------------