Merge pull request #715 from wolfi-dev/update-osv

refactor based on feeback and export as json
wolfi-dev · Mar 27, 2024 · fd17ca0 · fd17ca0
2 parents 6ad6a90 + 2ca9389
commit fd17ca0
Show file tree

Hide file tree

Showing 26 changed files with 117 additions and 303 deletions.
diff --git a/pkg/advisory/export.go b/pkg/advisory/export.go
@@ -6,7 +6,10 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"os"
+	"path"
 	"sort"
+	"strings"
 	"time"
 
 	"github.com/google/osv-scanner/pkg/models"
@@ -119,9 +122,7 @@ func ExportYAML(opts ExportOptions) (io.Reader, error) {
 	return buf, nil
 }
 
-func ExportOSV(opts ExportOptions) (io.Reader, error) {
-	buf := new(bytes.Buffer)
-
+func ExportOSV(opts ExportOptions, output string) error {
 	osvExport := make(map[string]models.Vulnerability)
 
 	for _, index := range opts.AdvisoryDocIndices {
@@ -130,8 +131,10 @@ func ExportOSV(opts ExportOptions) (io.Reader, error) {
 		for _, doc := range documents {
 			for _, adv := range doc.Advisories {
 				sortedEvents := adv.SortedEvents()
+
 				var updatedTime time.Time
 				tempAffected := models.Affected{}
+
 				for _, event := range sortedEvents {
 					switch event.Type {
 					case v2.EventTypeFixed:
@@ -142,10 +145,11 @@ func ExportOSV(opts ExportOptions) (io.Reader, error) {
 						}
 						tempAffected.Ranges = []models.Range{
 							{
-								Type: v2.EventTypeFixed,
+								Type: models.RangeEcosystem,
 								Events: []models.Event{
 									{
-										Fixed: event.Data.(v2.Fixed).FixedVersion,
+										Introduced: "0",
+										Fixed:      event.Data.(v2.Fixed).FixedVersion,
 									},
 								},
 							},
@@ -159,11 +163,9 @@ func ExportOSV(opts ExportOptions) (io.Reader, error) {
 						}
 						tempAffected.Ranges = []models.Range{
 							{
-								Type: v2.EventTypeFixed,
-								Events: []models.Event{
-									{
-										Fixed: "0",
-									},
+								Type: models.RangeEcosystem,
+								DatabaseSpecific: map[string]interface{}{
+									"false_positive": true,
 								},
 							},
 						}
@@ -187,7 +189,7 @@ func ExportOSV(opts ExportOptions) (io.Reader, error) {
 						osvExport[adv.ID] = entry
 					} else {
 						temp := models.Vulnerability{
-							ID:       adv.ID,
+							ID:       fmt.Sprintf("%s-%s", strings.ToUpper(string(opts.Ecosystem)), adv.ID),
 							Aliases:  adv.Aliases,
 							Affected: []models.Affected{tempAffected},
 						}
@@ -209,21 +211,17 @@ func ExportOSV(opts ExportOptions) (io.Reader, error) {
 	sort.Strings(keys)
 
 	for _, k := range keys {
-		if len(buf.Bytes()) != 0 {
-			buf.WriteString("---\n")
-		}
-
-		e, err := osvExport[k].MarshalYAML()
+		e, err := osvExport[k].MarshalJSON()
 		if err != nil {
 			log.Fatal(err)
 		}
 
-		d, err := yaml.Marshal(e)
+		filepath := path.Join(output, fmt.Sprintf("%s-%s.json", strings.ToUpper(string(opts.Ecosystem)), k))
+		err = os.WriteFile(filepath, e, 0o600)
 		if err != nil {
-			return nil, fmt.Errorf("failed to marshal package %q: %v", osvExport[k].ID, err)
+			log.Fatal(err)
 		}
-		buf.Write(d)
 	}
 
-	return buf, nil
+	return nil
 }
diff --git a/pkg/advisory/export_test.go b/pkg/advisory/export_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"io"
 	"os"
+	"path"
 	"strings"
 	"testing"
 
@@ -34,11 +35,6 @@ func Test_ExportFuncs(t *testing.T) {
 			exportFuncUnderTest: ExportYAML,
 			pathToExpectedData:  "./testdata/export/expected.yaml",
 		},
-		{
-			name:                "osv",
-			exportFuncUnderTest: ExportOSV,
-			pathToExpectedData:  "./testdata/export/expected-osv.yaml",
-		},
 	}
 
 	for _, tt := range cases {
@@ -70,3 +66,47 @@ func Test_ExportFuncs(t *testing.T) {
 		})
 	}
 }
+
+func Test_ExportOSV(t *testing.T) {
+	const testdataDir = "./testdata/export/advisories"
+	const expectedOSVDir = "./testdata/export/osv"
+
+	advisoryFsys := rwos.DirFS(testdataDir)
+	advisoryDocs, err := v2.NewIndex(context.Background(), advisoryFsys)
+	require.NoError(t, err)
+	indices := []*configs.Index[v2.Document]{advisoryDocs}
+
+	opts := ExportOptions{
+		AdvisoryDocIndices: indices,
+		Ecosystem:          models.Ecosystem("wolfi"),
+	}
+
+	tempOSVDir, err := os.MkdirTemp("", "test-osv")
+	assert.NoError(t, err)
+	defer os.RemoveAll(tempOSVDir)
+
+	err = ExportOSV(opts, tempOSVDir)
+	assert.NoError(t, err)
+
+	expectedOSVFiles, err := os.ReadDir(expectedOSVDir)
+	assert.NoError(t, err)
+
+	actualOSVFiles, err := os.ReadDir(tempOSVDir)
+	assert.NoError(t, err)
+
+	if len(expectedOSVFiles) != len(actualOSVFiles) {
+		t.Error("missing OSV files")
+	}
+
+	for i, expectedCVEFile := range expectedOSVFiles {
+		expectedBytes, err := os.ReadFile(path.Join(expectedOSVDir, expectedCVEFile.Name()))
+		require.NoError(t, err)
+
+		actualBytes, err := os.ReadFile(path.Join(tempOSVDir, actualOSVFiles[i].Name()))
+		require.NoError(t, err)
+
+		if diff := cmp.Diff(string(expectedBytes), string(actualBytes)); diff != "" {
+			t.Errorf("ExportOSV() produced unexpected data (-want +got):\n%s", diff)
+		}
+	}
+}