9b395f5cc3
E2E Headed Chrome / e2e-headed (macos-15) (push) Has been cancelled
E2E Headed Chrome / e2e-headed (ubuntu-latest) (push) Has been cancelled
E2E Headed Chrome / e2e-headed (windows-latest) (push) Has been cancelled
CI / build (macos-latest) (push) Has been cancelled
CI / build (ubuntu-latest) (push) Has been cancelled
CI / build (windows-latest) (push) Has been cancelled
CI / unit-test (push) Has been cancelled
CI / bun-test (push) Has been cancelled
CI / adapter-test (push) Has been cancelled
CI / smoke-test (macos-latest) (push) Has been cancelled
CI / smoke-test (ubuntu-latest) (push) Has been cancelled
Security Audit / audit (push) Has been cancelled
Build Chrome Extension / build (push) Has been cancelled
Trigger Website Rebuild (Docs Updated) / dispatch (push) Has been cancelled
170 lines
5.5 KiB
JavaScript
170 lines
5.5 KiB
JavaScript
// Shared helpers for the OSV.dev (Open Source Vulnerabilities) adapters.
|
|
//
|
|
// OSV.dev publishes a free, unauthenticated REST API at https://api.osv.dev.
|
|
// Docs: https://google.github.io/osv.dev/api/
|
|
import { ArgumentError, CommandExecutionError, EmptyResultError } from '@jackwener/opencli/errors';
|
|
|
|
export const OSV_BASE = 'https://api.osv.dev';
|
|
const UA = 'opencli-osv-adapter (+https://github.com/jackwener/opencli)';
|
|
|
|
// OSV vulnerability IDs are short tokens like "GHSA-29mw-wpgm-hmr9", "CVE-2020-28500", "PYSEC-2021-1".
|
|
const VULN_ID = /^[A-Za-z0-9][A-Za-z0-9._-]{0,79}$/;
|
|
|
|
// OSV ecosystems we accept on input. The full canonical list is at
|
|
// https://ossf.github.io/osv-schema/#defined-ecosystems — we accept the public
|
|
// ones that map cleanly to package registries opencli already supports.
|
|
export const OSV_ECOSYSTEMS = new Set([
|
|
'npm',
|
|
'PyPI',
|
|
'Go',
|
|
'Maven',
|
|
'NuGet',
|
|
'RubyGems',
|
|
'crates.io',
|
|
'Packagist',
|
|
'Pub',
|
|
'Hex',
|
|
'Hackage',
|
|
'CRAN',
|
|
'Bitnami',
|
|
'GitHub Actions',
|
|
'SwiftURL',
|
|
]);
|
|
|
|
export function requireString(value, label) {
|
|
const s = String(value ?? '').trim();
|
|
if (!s) throw new ArgumentError(`osv ${label} cannot be empty`);
|
|
return s;
|
|
}
|
|
|
|
export function requireVulnId(value) {
|
|
const s = String(value ?? '').trim();
|
|
if (!s) {
|
|
throw new ArgumentError(
|
|
'osv vulnerability id is required (e.g. "GHSA-29mw-wpgm-hmr9", "CVE-2020-28500")',
|
|
'IDs are listed at https://osv.dev — paste the canonical id from the vulnerability page.',
|
|
);
|
|
}
|
|
if (!VULN_ID.test(s)) {
|
|
throw new ArgumentError(
|
|
`osv vulnerability id "${value}" is not a valid OSV id`,
|
|
'IDs are short ASCII tokens like "GHSA-...", "CVE-...", "PYSEC-...".',
|
|
);
|
|
}
|
|
return s;
|
|
}
|
|
|
|
export function requireEcosystem(value) {
|
|
const s = String(value ?? '').trim();
|
|
if (!s) {
|
|
throw new ArgumentError(
|
|
'osv --ecosystem is required when querying by package',
|
|
`Pick one of: ${[...OSV_ECOSYSTEMS].join(', ')}.`,
|
|
);
|
|
}
|
|
if (!OSV_ECOSYSTEMS.has(s)) {
|
|
throw new ArgumentError(
|
|
`osv --ecosystem "${value}" is not a recognised OSV ecosystem`,
|
|
`Pick one of: ${[...OSV_ECOSYSTEMS].join(', ')}.`,
|
|
);
|
|
}
|
|
return s;
|
|
}
|
|
|
|
export function requireBoundedInt(value, defaultValue, maxValue, label = 'limit') {
|
|
const raw = value ?? defaultValue;
|
|
const n = typeof raw === 'number' ? raw : Number(raw);
|
|
if (!Number.isInteger(n) || n <= 0) {
|
|
throw new ArgumentError(`osv ${label} must be a positive integer`);
|
|
}
|
|
if (n > maxValue) {
|
|
throw new ArgumentError(`osv ${label} must be <= ${maxValue}`);
|
|
}
|
|
return n;
|
|
}
|
|
|
|
async function readJson(resp, label) {
|
|
let body;
|
|
try {
|
|
body = await resp.json();
|
|
}
|
|
catch (err) {
|
|
throw new CommandExecutionError(`${label} returned malformed JSON: ${err?.message ?? err}`);
|
|
}
|
|
return body;
|
|
}
|
|
|
|
export async function osvGet(url, label) {
|
|
let resp;
|
|
try {
|
|
resp = await fetch(url, { headers: { 'user-agent': UA, accept: 'application/json' } });
|
|
}
|
|
catch (err) {
|
|
throw new CommandExecutionError(
|
|
`${label} request failed: ${err?.message ?? err}`,
|
|
'Check that api.osv.dev is reachable from this network.',
|
|
);
|
|
}
|
|
if (resp.status === 404) {
|
|
throw new EmptyResultError(label, `OSV.dev returned 404 for ${url}.`);
|
|
}
|
|
if (resp.status === 429) {
|
|
throw new CommandExecutionError(`${label} returned HTTP 429 (rate limited)`);
|
|
}
|
|
if (!resp.ok) {
|
|
throw new CommandExecutionError(`${label} returned HTTP ${resp.status}`);
|
|
}
|
|
return readJson(resp, label);
|
|
}
|
|
|
|
export async function osvPost(url, payload, label) {
|
|
let resp;
|
|
try {
|
|
resp = await fetch(url, {
|
|
method: 'POST',
|
|
headers: { 'user-agent': UA, accept: 'application/json', 'content-type': 'application/json' },
|
|
body: JSON.stringify(payload),
|
|
});
|
|
}
|
|
catch (err) {
|
|
throw new CommandExecutionError(
|
|
`${label} request failed: ${err?.message ?? err}`,
|
|
'Check that api.osv.dev is reachable from this network.',
|
|
);
|
|
}
|
|
if (resp.status === 404) {
|
|
throw new EmptyResultError(label, `OSV.dev returned 404 for ${url}.`);
|
|
}
|
|
if (resp.status === 429) {
|
|
throw new CommandExecutionError(`${label} returned HTTP 429 (rate limited)`);
|
|
}
|
|
if (!resp.ok) {
|
|
const text = await resp.text().catch(() => '');
|
|
throw new CommandExecutionError(`${label} returned HTTP ${resp.status}${text ? `: ${text.slice(0, 200)}` : ''}`);
|
|
}
|
|
return readJson(resp, label);
|
|
}
|
|
|
|
// Reduce OSV's `severity` array to a single human-readable label.
|
|
// Returns null when no severity is recorded; never invents a value.
|
|
export function severityLabel(vuln) {
|
|
const dbSpecific = vuln?.database_specific;
|
|
if (dbSpecific && typeof dbSpecific.severity === 'string' && dbSpecific.severity.trim()) {
|
|
return dbSpecific.severity.trim();
|
|
}
|
|
const arr = Array.isArray(vuln?.severity) ? vuln.severity : [];
|
|
for (const entry of arr) {
|
|
if (entry && typeof entry.score === 'string' && entry.score.trim()) {
|
|
return entry.score.trim();
|
|
}
|
|
}
|
|
return null;
|
|
}
|
|
|
|
export function trimDate(value) {
|
|
const s = String(value ?? '').trim();
|
|
if (!s) return null;
|
|
const noFrac = s.replace(/\.\d+/, '');
|
|
return noFrac.endsWith('Z') ? noFrac : (s.length >= 10 ? s.slice(0, 10) : null);
|
|
}
|