chore: implement OSV api & format

NodeSecure · Nov 28, 2023 · d7991ee · d7991ee
1 parent 6ec82b9
commit d7991ee
Show file tree

Hide file tree

Showing 5 changed files with 142 additions and 1 deletion.
diff --git a/src/database/index.ts b/src/database/index.ts
@@ -0,0 +1 @@
+export * as osv from "./osv.js";
diff --git a/src/database/osv.ts b/src/database/osv.ts
@@ -0,0 +1,53 @@
+// Import Third-Party Dependencies
+import * as httpie from "@myunisoft/httpie";
+
+// Import Internal Dependencies
+import { OSV } from "../formats/osv";
+
+// CONSTANTS
+const kOsvRootApi = "https://api.osv.dev";
+
+export type OSVApiParameter = {
+  version?: string;
+  package: {
+    name: string;
+    /**
+     * @default npm
+     */
+    ecosystem?: string;
+  };
+}
+
+export async function findOne(
+  parameters: OSVApiParameter
+): Promise<OSV[]> {
+  if (!parameters.package.ecosystem) {
+    parameters.package.ecosystem = "npm";
+  }
+
+  const { data } = await httpie.post<{ vulns: OSV[] }>(
+    new URL("v1/query", kOsvRootApi),
+    {
+      body: parameters
+    }
+  );
+
+  return data.vulns;
+}
+
+export function findOneBySpec(
+  spec: string
+) {
+  // TODO: parse spec
+
+  return findOne({
+    version: "",
+    package: {
+      name: "foo"
+    }
+  });
+}
+
+export async function findMany() {
+  throw new Error("not implemented yet");
+}
diff --git a/src/formats/osv/.gitkeep b/src/formats/osv/.gitkeep
diff --git a/src/formats/osv/index.ts b/src/formats/osv/index.ts
@@ -0,0 +1,80 @@
+
+/**
+ * @see https://ossf.github.io/osv-schema/
+ */
+export interface OSV {
+  schema_version: string;
+  id: string;
+  modified: string;
+  published: string;
+  withdraw: string;
+  aliases: string[];
+  related: string[];
+  summary: string;
+  details: string;
+  severity: OSVSeverity[];
+  affected: OSVAffected[];
+  references: {
+    type: OSVReferenceType;
+    url: string;
+  }[];
+  credits: {
+    name: string;
+    contact: string[];
+    type: OSVCreditType;
+  }[];
+  database_specific: Record<string, any>;
+}
+
+export type OSVReferenceType = "ADVISORY" |
+  "ARTICLE" |
+  "DETECTION" |
+  "DISCUSSION" |
+  "REPORT" |
+  "FIX" |
+  "GIT" |
+  "INTRODUCED" |
+  "PACKAGE" |
+  "EVIDENCE" |
+  "WEB";
+
+export type OSVCreditType = "FINDER" |
+  "REPORTER" |
+  "ANALYST" |
+  "COORDINATOR" |
+  "REMEDIATION_DEVELOPER" |
+  "REMEDIATION_REVIEWER" |
+  "REMEDIATION_VERIFIER" |
+  "TOOL" |
+  "SPONSOR" |
+  "OTHER";
+
+export interface OSVAffected {
+  package: {
+    ecosystem: "npm",
+    name: string;
+    purl: string;
+  };
+  severity: OSVSeverity[];
+  ranges: OSVRange[];
+  versions: string[];
+  ecosystem_specific: Record<string, any>;
+  database_specific: Record<string, any>;
+}
+
+export interface OSVRange {
+  type: string;
+  repo: string;
+  events: {
+    introduced?: string;
+    fixed?: string;
+    last_affected?: string;
+    limit?: string;
+  }[];
+  database_specific: Record<string, any>;
+}
+
+export interface OSVSeverity {
+  type: string;
+  score: string;
+}
diff --git a/src/index.ts b/src/index.ts
@@ -31,6 +31,9 @@ import {
 import type {
   StandardVulnerability, Severity, StandardPatch
 } from "./formats/standard/index.js";
+import type {
+  OSV
+} from "./formats/osv/index.js";
 
 import type {
   Dependencies, ScannerVersionDescriptor
@@ -43,6 +46,8 @@ import type {
   HydratePayloadDepsOptions
 } from "./strategies/types/api.js";
 
+export * as Database from "./database/index.js";
+
 export type AllStrategy = {
   "none": NoneStrategyDefinition;
   "github-advisory": GithubAdvisoryStrategyDefinition;
@@ -110,5 +115,7 @@ export {
   NpmAuditAdvisory,
   PnpmAuditAdvisory,
   SnykVulnerability,
-  SonatypeVulnerability
+  SonatypeVulnerability,
+
+  OSV
 };