Export advisories in OSV format #599
Conversation
jaylinski
force-pushed
the
export-osv
branch
14 times, most recently
from
e0825fa
to
e41fbe9
Compare
export-osv.php
Outdated
| array_push($events, ['introduced' => $branch[0]]); | ||
| array_push($events, ['fixed' => $branch[1]]); | ||
| } else { | ||
| array_push($events, ['fixed' => $branch[0]]); |
There was a problem hiding this comment.
Maybe we can just convert versions like <8.22.1 to 8.22.1.
There was a problem hiding this comment.
How useful is OSV if we cannot list fixed versions at all?
There was a problem hiding this comment.
@naderman I worked around this by retrieving all package tags from the Packagist API and comparing the ranges with the tags by calling Semver::satisfies($version, implode(' ', $constraints)).
Example: https://github.com/jaylinski/security-advisories/blob/osv/packagist/CVE-2021-43608.json
What do you think about it?
There was a problem hiding this comment.
Would it make more sense to add this to packagist.org's security advisories API as a new output format (which pulls data from this repo here)? As you'd have access to live package data there?
There was a problem hiding this comment.
Yes, definitely. I wasn't aware of the packagist.org security advisories API.
Should I open a PR at the packagist.org repo?
There was a problem hiding this comment.
Sure, go ahead! :-)
It's pretty simple right now, just a way to list advisories for a set of packages, see https://packagist.org/apidoc#list-security-advisories
export-osv.php
Outdated
| foreach (array_column($branches, 'versions') as $branch) { | ||
| if (count($branch) === 2) { | ||
| array_push($events, ['introduced' => $branch[0]]); | ||
| array_push($events, ['fixed' => $branch[1]]); |
There was a problem hiding this comment.
be careful. We have cases like >= 1.3.0, <2.0 where things are not fixed in 2.0 (if another branch has >=2.0 in its affected constraints)
There was a problem hiding this comment.
That's true. I reworked it, see #599 (comment).
export-osv.php
Outdated
|
|
||
| foreach (array_column($branches, 'versions') as $branch) { | ||
| if (count($branch) === 2) { | ||
| array_push($events, ['introduced' => $branch[0]]); |
There was a problem hiding this comment.
$branch[0] is not a version but a constraint
There was a problem hiding this comment.
That's true. I reworked it, see #599 (comment).
export-osv.php
Outdated
| ] : null, | ||
| [ | ||
| 'type' => 'PACKAGE', | ||
| 'url' => 'https://packagist.org/packages/' . $package, |
There was a problem hiding this comment.
this looks broken for packages using a custom repository
There was a problem hiding this comment.
I'm now skipping packages that have a custom or no composer-repository.
export-osv.php
Outdated
| array_key_exists('link', $advisory) ? [ | ||
| 'type' => 'ADVISORY', | ||
| 'url' => $advisory['link'], | ||
| ] : null, |
There was a problem hiding this comment.
putting null in the array looks wrong to me
There was a problem hiding this comment.
True. Since the validator enforces links anyway, I just skipped that check.
jaylinski
force-pushed
the
export-osv
branch
3 times, most recently
from
1b49ea4
to
5d2ade5
Compare
jaylinski
force-pushed
the
export-osv
branch
from
5d2ade5
to
1827365
Compare
|
Any new update here to get the fixed version into the list as well? |
|
@icanhazstring The PHP and OSV vulnerability schemes don't have a (Or maybe I'm misunderstanding your question?) |
|
@jaylinski was referring to the comment from @naderman about the Packagist advisory api about the fixed version. Or is it somewhat possible to get security issue listed with affected version and the next which fixes it? |
|
Just wanted to leave that here (probably you knew it already):
|
|
@ohader The packagist.org API already synchronizes and merges github's db and friendsofphp, e.g. see here: https://packagist.org/packages/guzzlehttp/guzzle/advisories?version=6278149 It would really just need someone to build an OSV compatible output for the data we collect there to have an OSV database for PHP. |
Fixes #576
This commit adds an automatic OSV export to the
osvbranch while keeping the current repository as is.Inspired by rustsec: https://github.com/rustsec/advisory-db/blob/main/.github/workflows/export-osv.yml
Preview
https://github.com/jaylinski/security-advisories/tree/osv
Possible improvements
Before merging
osvbranch with a readme similar to this one: https://github.com/rustsec/advisory-db/blob/osv/README.md