-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Loading status checks…
chore: start implementing OSV mappers
Showing
6 changed files
with
264 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
# OSV vulnerability format | ||
|
||
See [Open Source Vulnerability format](https://ossf.github.io/osv-schema/) | ||
|
||
```ts | ||
export interface OSV { | ||
schema_version: string; | ||
id: string; | ||
modified: string; | ||
published: string; | ||
withdraw: string; | ||
aliases: string[]; | ||
related: string[]; | ||
summary: string; | ||
details: string; | ||
severity: OSVSeverity[]; | ||
affected: OSVAffected[]; | ||
references: { | ||
type: OSVReferenceType; | ||
url: string; | ||
}[]; | ||
credits: { | ||
name: string; | ||
contact: string[]; | ||
type: OSVCreditType; | ||
}[]; | ||
database_specific: Record<string, any>; | ||
} | ||
|
||
export type OSVReferenceType = "ADVISORY" | | ||
"ARTICLE" | | ||
"DETECTION" | | ||
"DISCUSSION" | | ||
"REPORT" | | ||
"FIX" | | ||
"GIT" | | ||
"INTRODUCED" | | ||
"PACKAGE" | | ||
"EVIDENCE" | | ||
"WEB"; | ||
|
||
export type OSVCreditType = "FINDER" | | ||
"REPORTER" | | ||
"ANALYST" | | ||
"COORDINATOR" | | ||
"REMEDIATION_DEVELOPER" | | ||
"REMEDIATION_REVIEWER" | | ||
"REMEDIATION_VERIFIER" | | ||
"TOOL" | | ||
"SPONSOR" | | ||
"OTHER"; | ||
|
||
export interface OSVAffected { | ||
package: { | ||
ecosystem: "npm", | ||
name: string; | ||
purl: string; | ||
}; | ||
severity: OSVSeverity[]; | ||
ranges: OSVRange[]; | ||
versions: string[]; | ||
ecosystem_specific: Record<string, any>; | ||
database_specific: Record<string, any>; | ||
} | ||
|
||
export interface OSVRange { | ||
type: string; | ||
repo: string; | ||
events: { | ||
introduced?: string; | ||
fixed?: string; | ||
last_affected?: string; | ||
limit?: string; | ||
}[]; | ||
database_specific: Record<string, any>; | ||
} | ||
|
||
export interface OSVSeverity { | ||
type: string; | ||
score: string; | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# Standard vulnerability format | ||
|
||
We provide an high level format that work for all available strategy. It can be activated with the option `useFormat` equal `Standard`. | ||
|
||
```ts | ||
export interface StandardVulnerability { | ||
/** Unique identifier for the vulnerability **/ | ||
id?: string; | ||
/** Vulnerability origin, either Snyk, Sonatype, GitHub or NodeSWG **/ | ||
origin: Origin; | ||
/** Package associated with the vulnerability **/ | ||
package: string; | ||
/** Vulnerability title **/ | ||
title: string; | ||
/** Vulnerability description **/ | ||
description?: string; | ||
/** Vulnerability link references on origin's website **/ | ||
url?: string; | ||
/** Vulnerability severity levels given the strategy **/ | ||
severity?: Severity; | ||
/** Common Vulnerabilities and Exposures dictionary */ | ||
cves?: string[]; | ||
/** | ||
* Common Vulnerability Scoring System (CVSS) provides a way to capture | ||
* the principal characteristics of a vulnerability, | ||
* and produce a numerical score reflecting its severity, | ||
* as well as a textual representation of that score. **/ | ||
cvssVector?: string; | ||
/** CVSS Score **/ | ||
cvssScore?: number; | ||
/** The range of vulnerable versions provided when too many versions are vulnerables */ | ||
vulnerableRanges: string[]; | ||
/** The set of versions that are vulnerable **/ | ||
vulnerableVersions: string[]; | ||
/** The set of versions that are patched **/ | ||
patchedVersions?: string; | ||
/** Overview of available patches to get rid of listed vulnerabilities **/ | ||
patches?: Patch[]; | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
// Import Internal Dependencies | ||
import { VULN_MODE } from "../../constants.js"; | ||
import * as utils from "../../utils.js"; | ||
|
||
import type { OSV } from "./index.js"; | ||
import type { | ||
SonatypeVulnerability, | ||
SnykVulnerability, | ||
NpmAuditAdvisory, | ||
PnpmAuditAdvisory | ||
} from "../../index.js"; | ||
|
||
function mapFromNPM( | ||
vuln: NpmAuditAdvisory | ||
): OSV { | ||
const hasCVSS = typeof vuln.cvss !== "undefined"; | ||
|
||
return { | ||
id: String(vuln.source), | ||
references: [ | ||
{ | ||
type: "ADVISORY", | ||
url: vuln.url | ||
} | ||
], | ||
package: vuln.name, | ||
title: vuln.title, | ||
severity: utils.standardizeNpmSeverity(vuln.severity), | ||
vulnerableRanges: utils.fromMaybeStringToArray(vuln.range), | ||
vulnerableVersions: utils.fromMaybeStringToArray(vuln.vulnerableVersions), | ||
...(hasCVSS ? | ||
{ cvssScore: vuln.cvss!.score, cvssVector: vuln.cvss!.vectorString } : | ||
{} | ||
) | ||
}; | ||
} | ||
|
||
function mapFromPnpm( | ||
vuln: PnpmAuditAdvisory | ||
): OSV { | ||
const hasCVSS = typeof vuln.cvss !== "undefined"; | ||
|
||
return { | ||
id: String(vuln.id), | ||
origin: VULN_MODE.GITHUB_ADVISORY, | ||
package: vuln.module_name, | ||
title: vuln.title, | ||
description: vuln.overview, | ||
url: vuln.url, | ||
severity: utils.standardizeNpmSeverity(vuln.severity), | ||
cves: vuln.cves, | ||
patchedVersions: vuln.patched_versions, | ||
vulnerableRanges: [], | ||
vulnerableVersions: utils.fromMaybeStringToArray(vuln.vulnerable_versions), | ||
...(hasCVSS ? | ||
{ cvssScore: vuln.cvss.score, cvssVector: vuln.cvss.vectorString } : | ||
{} | ||
) | ||
}; | ||
} | ||
|
||
function mapFromSnyk( | ||
vuln: SnykVulnerability | ||
): OSV { | ||
function concatVulnerableVersions(vulnFunctions) { | ||
return vulnFunctions | ||
.reduce((ranges, functions) => [...ranges, ...functions.version], []); | ||
} | ||
|
||
return { | ||
id: vuln.id, | ||
origin: VULN_MODE.SNYK, | ||
package: vuln.package, | ||
title: vuln.title, | ||
url: vuln.url, | ||
description: vuln.description, | ||
severity: vuln.severity, | ||
vulnerableVersions: concatVulnerableVersions(vuln.functions), | ||
vulnerableRanges: vuln.semver.vulnerable, | ||
cves: vuln.identifiers.CVE, | ||
cvssVector: vuln.CVSSv3, | ||
cvssScore: vuln.cvssScore, | ||
patches: vuln.patches | ||
}; | ||
} | ||
|
||
function mapFromSonatype( | ||
vuln: SonatypeVulnerability | ||
): OSV { | ||
return { | ||
id: vuln.id, | ||
origin: VULN_MODE.SONATYPE, | ||
package: vuln.package, | ||
title: vuln.title, | ||
url: vuln.reference, | ||
description: vuln.description, | ||
vulnerableRanges: vuln.versionRanges ?? [], | ||
vulnerableVersions: vuln.versionRanges ?? [], | ||
cves: utils.fromMaybeStringToArray(vuln.cve), | ||
cvssVector: vuln.cvssVector, | ||
cvssScore: vuln.cvssScore | ||
}; | ||
} | ||
|
||
export const OSV_VULN_MAPPERS = Object.freeze({ | ||
[VULN_MODE.GITHUB_ADVISORY]: mapFromNPM, | ||
"github-advisory_pnpm": mapFromPnpm, | ||
[VULN_MODE.SNYK]: mapFromSnyk, | ||
[VULN_MODE.SONATYPE]: mapFromSonatype | ||
}); | ||
|