Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Export advisories in OSV format #599

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jaylinski
Copy link
Contributor

@jaylinski jaylinski commented Nov 17, 2021

Fixes #576

This commit adds an automatic OSV export to the osv branch while keeping the current repository as is.

Inspired by rustsec: https://github.com/rustsec/advisory-db/blob/main/.github/workflows/export-osv.yml

Preview

https://github.com/jaylinski/security-advisories/tree/osv

Possible improvements

Before merging

@jaylinski jaylinski force-pushed the export-osv branch 14 times, most recently from e0825fa to e41fbe9 Compare November 18, 2021 00:41
export-osv.php Outdated
array_push($events, ['introduced' => $branch[0]]);
array_push($events, ['fixed' => $branch[1]]);
} else {
array_push($events, ['fixed' => $branch[0]]);
Copy link
Contributor Author

@jaylinski jaylinski Nov 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ This is not correct, because this DB only specifies ranges that are affected, but not the fixed version.

Maybe we can just convert versions like <8.22.1 to 8.22.1.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How useful is OSV if we cannot list fixed versions at all?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@naderman I worked around this by retrieving all package tags from the Packagist API and comparing the ranges with the tags by calling Semver::satisfies($version, implode(' ', $constraints)).

Example: https://github.com/jaylinski/security-advisories/blob/osv/packagist/CVE-2021-43608.json

What do you think about it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make more sense to add this to packagist.org's security advisories API as a new output format (which pulls data from this repo here)? As you'd have access to live package data there?

Copy link
Contributor Author

@jaylinski jaylinski Nov 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, definitely. I wasn't aware of the packagist.org security advisories API.

Should I open a PR at the packagist.org repo?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, go ahead! :-)

It's pretty simple right now, just a way to list advisories for a set of packages, see https://packagist.org/apidoc#list-security-advisories

export-osv.php Outdated
foreach (array_column($branches, 'versions') as $branch) {
if (count($branch) === 2) {
array_push($events, ['introduced' => $branch[0]]);
array_push($events, ['fixed' => $branch[1]]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

be careful. We have cases like >= 1.3.0, <2.0 where things are not fixed in 2.0 (if another branch has >=2.0 in its affected constraints)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's true. I reworked it, see #599 (comment).

export-osv.php Outdated

foreach (array_column($branches, 'versions') as $branch) {
if (count($branch) === 2) {
array_push($events, ['introduced' => $branch[0]]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$branch[0] is not a version but a constraint

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's true. I reworked it, see #599 (comment).

export-osv.php Outdated
] : null,
[
'type' => 'PACKAGE',
'url' => 'https://packagist.org/packages/' . $package,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks broken for packages using a custom repository

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm now skipping packages that have a custom or no composer-repository.

export-osv.php Outdated
array_key_exists('link', $advisory) ? [
'type' => 'ADVISORY',
'url' => $advisory['link'],
] : null,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

putting null in the array looks wrong to me

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True. Since the validator enforces links anyway, I just skipped that check.

@jaylinski jaylinski force-pushed the export-osv branch 3 times, most recently from 1b49ea4 to 5d2ade5 Compare November 18, 2021 19:36
@icanhazstring
Copy link

Any new update here to get the fixed version into the list as well?

@jaylinski
Copy link
Contributor Author

@icanhazstring The PHP and OSV vulnerability schemes don't have a fixed-field. Only the affected versions are listed.

(Or maybe I'm misunderstanding your question?)

@icanhazstring
Copy link

@jaylinski was referring to the comment from @naderman about the Packagist advisory api about the fixed version.

Or is it somewhat possible to get security issue listed with affected version and the next which fixes it?

@ohader
Copy link
Contributor

ohader commented Jun 14, 2022

Just wanted to leave that here (probably you knew it already):
e.g. https://github.com/github/advisory-database/blob/b07a1c25e2ec4fe59bf3dae2c6b7db3b02f4ae75/advisories/github-reviewed/2022/04/GHSA-x7cr-6qr6-2hh6/GHSA-x7cr-6qr6-2hh6.json

  • gives an example of fixed and introduced nested in affected
  • OSV items do exist already in GitHub's advisory DB - can we some "synchronize" multiple sources (did not think about the details & consequences, yet)

@naderman
Copy link
Contributor

@ohader The packagist.org API already synchronizes and merges github's db and friendsofphp, e.g. see here: https://packagist.org/packages/guzzlehttp/guzzle/advisories?version=6278149

It would really just need someone to build an OSV compatible output for the data we collect there to have an OSV database for PHP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Discussion] Adopt OSV unified vulnerability schema for open source
6 participants