Files
wehub-resource-sync 9b395f5cc3
E2E Headed Chrome / e2e-headed (macos-15) (push) Has been cancelled
E2E Headed Chrome / e2e-headed (ubuntu-latest) (push) Has been cancelled
E2E Headed Chrome / e2e-headed (windows-latest) (push) Has been cancelled
CI / build (macos-latest) (push) Has been cancelled
CI / build (ubuntu-latest) (push) Has been cancelled
CI / build (windows-latest) (push) Has been cancelled
CI / unit-test (push) Has been cancelled
CI / bun-test (push) Has been cancelled
CI / adapter-test (push) Has been cancelled
CI / smoke-test (macos-latest) (push) Has been cancelled
CI / smoke-test (ubuntu-latest) (push) Has been cancelled
Security Audit / audit (push) Has been cancelled
Build Chrome Extension / build (push) Has been cancelled
Trigger Website Rebuild (Docs Updated) / dispatch (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:39:48 +08:00

170 lines
5.5 KiB
JavaScript

// Shared helpers for the OSV.dev (Open Source Vulnerabilities) adapters.
//
// OSV.dev publishes a free, unauthenticated REST API at https://api.osv.dev.
// Docs: https://google.github.io/osv.dev/api/
import { ArgumentError, CommandExecutionError, EmptyResultError } from '@jackwener/opencli/errors';
export const OSV_BASE = 'https://api.osv.dev';
const UA = 'opencli-osv-adapter (+https://github.com/jackwener/opencli)';
// OSV vulnerability IDs are short tokens like "GHSA-29mw-wpgm-hmr9", "CVE-2020-28500", "PYSEC-2021-1".
const VULN_ID = /^[A-Za-z0-9][A-Za-z0-9._-]{0,79}$/;
// OSV ecosystems we accept on input. The full canonical list is at
// https://ossf.github.io/osv-schema/#defined-ecosystems — we accept the public
// ones that map cleanly to package registries opencli already supports.
export const OSV_ECOSYSTEMS = new Set([
'npm',
'PyPI',
'Go',
'Maven',
'NuGet',
'RubyGems',
'crates.io',
'Packagist',
'Pub',
'Hex',
'Hackage',
'CRAN',
'Bitnami',
'GitHub Actions',
'SwiftURL',
]);
export function requireString(value, label) {
const s = String(value ?? '').trim();
if (!s) throw new ArgumentError(`osv ${label} cannot be empty`);
return s;
}
export function requireVulnId(value) {
const s = String(value ?? '').trim();
if (!s) {
throw new ArgumentError(
'osv vulnerability id is required (e.g. "GHSA-29mw-wpgm-hmr9", "CVE-2020-28500")',
'IDs are listed at https://osv.dev — paste the canonical id from the vulnerability page.',
);
}
if (!VULN_ID.test(s)) {
throw new ArgumentError(
`osv vulnerability id "${value}" is not a valid OSV id`,
'IDs are short ASCII tokens like "GHSA-...", "CVE-...", "PYSEC-...".',
);
}
return s;
}
export function requireEcosystem(value) {
const s = String(value ?? '').trim();
if (!s) {
throw new ArgumentError(
'osv --ecosystem is required when querying by package',
`Pick one of: ${[...OSV_ECOSYSTEMS].join(', ')}.`,
);
}
if (!OSV_ECOSYSTEMS.has(s)) {
throw new ArgumentError(
`osv --ecosystem "${value}" is not a recognised OSV ecosystem`,
`Pick one of: ${[...OSV_ECOSYSTEMS].join(', ')}.`,
);
}
return s;
}
export function requireBoundedInt(value, defaultValue, maxValue, label = 'limit') {
const raw = value ?? defaultValue;
const n = typeof raw === 'number' ? raw : Number(raw);
if (!Number.isInteger(n) || n <= 0) {
throw new ArgumentError(`osv ${label} must be a positive integer`);
}
if (n > maxValue) {
throw new ArgumentError(`osv ${label} must be <= ${maxValue}`);
}
return n;
}
async function readJson(resp, label) {
let body;
try {
body = await resp.json();
}
catch (err) {
throw new CommandExecutionError(`${label} returned malformed JSON: ${err?.message ?? err}`);
}
return body;
}
export async function osvGet(url, label) {
let resp;
try {
resp = await fetch(url, { headers: { 'user-agent': UA, accept: 'application/json' } });
}
catch (err) {
throw new CommandExecutionError(
`${label} request failed: ${err?.message ?? err}`,
'Check that api.osv.dev is reachable from this network.',
);
}
if (resp.status === 404) {
throw new EmptyResultError(label, `OSV.dev returned 404 for ${url}.`);
}
if (resp.status === 429) {
throw new CommandExecutionError(`${label} returned HTTP 429 (rate limited)`);
}
if (!resp.ok) {
throw new CommandExecutionError(`${label} returned HTTP ${resp.status}`);
}
return readJson(resp, label);
}
export async function osvPost(url, payload, label) {
let resp;
try {
resp = await fetch(url, {
method: 'POST',
headers: { 'user-agent': UA, accept: 'application/json', 'content-type': 'application/json' },
body: JSON.stringify(payload),
});
}
catch (err) {
throw new CommandExecutionError(
`${label} request failed: ${err?.message ?? err}`,
'Check that api.osv.dev is reachable from this network.',
);
}
if (resp.status === 404) {
throw new EmptyResultError(label, `OSV.dev returned 404 for ${url}.`);
}
if (resp.status === 429) {
throw new CommandExecutionError(`${label} returned HTTP 429 (rate limited)`);
}
if (!resp.ok) {
const text = await resp.text().catch(() => '');
throw new CommandExecutionError(`${label} returned HTTP ${resp.status}${text ? `: ${text.slice(0, 200)}` : ''}`);
}
return readJson(resp, label);
}
// Reduce OSV's `severity` array to a single human-readable label.
// Returns null when no severity is recorded; never invents a value.
export function severityLabel(vuln) {
const dbSpecific = vuln?.database_specific;
if (dbSpecific && typeof dbSpecific.severity === 'string' && dbSpecific.severity.trim()) {
return dbSpecific.severity.trim();
}
const arr = Array.isArray(vuln?.severity) ? vuln.severity : [];
for (const entry of arr) {
if (entry && typeof entry.score === 'string' && entry.score.trim()) {
return entry.score.trim();
}
}
return null;
}
export function trimDate(value) {
const s = String(value ?? '').trim();
if (!s) return null;
const noFrac = s.replace(/\.\d+/, '');
return noFrac.endsWith('Z') ? noFrac : (s.length >= 10 ? s.slice(0, 10) : null);
}