From d7991ee1000beb9804dbd5604c4d1eb946dc225f Mon Sep 17 00:00:00 2001 From: fraxken Date: Tue, 28 Nov 2023 06:04:28 +0100 Subject: [PATCH] chore: implement OSV api & format --- src/database/index.ts | 1 + src/database/osv.ts | 53 ++++++++++++++++++++++++++ src/formats/osv/.gitkeep | 0 src/formats/osv/index.ts | 80 ++++++++++++++++++++++++++++++++++++++++ src/index.ts | 9 ++++- 5 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 src/database/index.ts create mode 100644 src/database/osv.ts delete mode 100644 src/formats/osv/.gitkeep create mode 100644 src/formats/osv/index.ts diff --git a/src/database/index.ts b/src/database/index.ts new file mode 100644 index 0000000..831bf2d --- /dev/null +++ b/src/database/index.ts @@ -0,0 +1 @@ +export * as osv from "./osv.js"; diff --git a/src/database/osv.ts b/src/database/osv.ts new file mode 100644 index 0000000..f6ccfbd --- /dev/null +++ b/src/database/osv.ts @@ -0,0 +1,53 @@ +// Import Third-Party Dependencies +import * as httpie from "@myunisoft/httpie"; + +// Import Internal Dependencies +import { OSV } from "../formats/osv"; + +// CONSTANTS +const kOsvRootApi = "https://api.osv.dev"; + +export type OSVApiParameter = { + version?: string; + package: { + name: string; + /** + * @default npm + */ + ecosystem?: string; + }; +} + +export async function findOne( + parameters: OSVApiParameter +): Promise { + if (!parameters.package.ecosystem) { + parameters.package.ecosystem = "npm"; + } + + const { data } = await httpie.post<{ vulns: OSV[] }>( + new URL("v1/query", kOsvRootApi), + { + body: parameters + } + ); + + return data.vulns; +} + +export function findOneBySpec( + spec: string +) { + // TODO: parse spec + + return findOne({ + version: "", + package: { + name: "foo" + } + }); +} + +export async function findMany() { + throw new Error("not implemented yet"); +} diff --git a/src/formats/osv/.gitkeep b/src/formats/osv/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/src/formats/osv/index.ts b/src/formats/osv/index.ts new file mode 100644 index 0000000..78bd28b --- /dev/null +++ b/src/formats/osv/index.ts @@ -0,0 +1,80 @@ + +/** + * @see https://ossf.github.io/osv-schema/ + */ +export interface OSV { + schema_version: string; + id: string; + modified: string; + published: string; + withdraw: string; + aliases: string[]; + related: string[]; + summary: string; + details: string; + severity: OSVSeverity[]; + affected: OSVAffected[]; + references: { + type: OSVReferenceType; + url: string; + }[]; + credits: { + name: string; + contact: string[]; + type: OSVCreditType; + }[]; + database_specific: Record; +} + +export type OSVReferenceType = "ADVISORY" | + "ARTICLE" | + "DETECTION" | + "DISCUSSION" | + "REPORT" | + "FIX" | + "GIT" | + "INTRODUCED" | + "PACKAGE" | + "EVIDENCE" | + "WEB"; + +export type OSVCreditType = "FINDER" | + "REPORTER" | + "ANALYST" | + "COORDINATOR" | + "REMEDIATION_DEVELOPER" | + "REMEDIATION_REVIEWER" | + "REMEDIATION_VERIFIER" | + "TOOL" | + "SPONSOR" | + "OTHER"; + +export interface OSVAffected { + package: { + ecosystem: "npm", + name: string; + purl: string; + }; + severity: OSVSeverity[]; + ranges: OSVRange[]; + versions: string[]; + ecosystem_specific: Record; + database_specific: Record; +} + +export interface OSVRange { + type: string; + repo: string; + events: { + introduced?: string; + fixed?: string; + last_affected?: string; + limit?: string; + }[]; + database_specific: Record; +} + +export interface OSVSeverity { + type: string; + score: string; +} diff --git a/src/index.ts b/src/index.ts index 7eaa54b..5d75c36 100644 --- a/src/index.ts +++ b/src/index.ts @@ -31,6 +31,9 @@ import { import type { StandardVulnerability, Severity, StandardPatch } from "./formats/standard/index.js"; +import type { + OSV +} from "./formats/osv/index.js"; import type { Dependencies, ScannerVersionDescriptor @@ -43,6 +46,8 @@ import type { HydratePayloadDepsOptions } from "./strategies/types/api.js"; +export * as Database from "./database/index.js"; + export type AllStrategy = { "none": NoneStrategyDefinition; "github-advisory": GithubAdvisoryStrategyDefinition; @@ -110,5 +115,7 @@ export { NpmAuditAdvisory, PnpmAuditAdvisory, SnykVulnerability, - SonatypeVulnerability + SonatypeVulnerability, + + OSV };