fosstars-rating-core
fosstars-rating-core copied to clipboard
Published
20 hours ago •
SAP
SAP
PoC: gathering data from OSV
https://github.com/google/osv
It would be good to figure out if it's possible to use OSV. Ideally, it would be good to start with implementing an experimental data provider and define a draft of features.
This is a good start for Python projects The sample can be found here https://osv.dev/docs/ and https://osv.dev/#use-the-api
For example
curl -X POST -d \
'{"version": "2.1.0",
"package": {"name": "cookiecutter", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"
Gives the below-mentioned output
{"vulns":[{"id":"GHSA-f4q6-9qm4-h8j4","summary":"OS Command Injection in cookiecutter","details":"The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.","aliases":["CVE-2022-24065"],"modified":"2022-06-17T16:41:32.078048Z","published":"2022-06-09T23:48:49Z","database_specific":{"severity":"HIGH","cwe_ids":["CWE-78","CWE-88"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24065"},{"type":"WEB","url":"https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77"},{"type":"WEB","url":"https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/cookiecutter/PYSEC-2022-204.yaml"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281"},{"type":"PACKAGE","url":"https://github.com/cookiecutter/cookiecutter"}],"affected":[{"package":{"name":"cookiecutter","ecosystem":"PyPI","purl":"pkg:pypi/cookiecutter"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.1"}]}],"versions":["0.1","0.2","0.2.1","0.3","0.4","0.5","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.7.0","0.7.1","0.7.2","0.8.0","0.9.0","0.9.1","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.5.0","1.5.1","1.6.0","1.7.0","1.7.1","1.7.2","1.7.3","2.1.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-f4q6-9qm4-h8j4/GHSA-f4q6-9qm4-h8j4.json"}}],"schema_version":"1.2.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]},{"id":"PYSEC-2022-204","details":"The package cookiecutter before 2.1.1 are vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.","aliases":["CVE-2022-24065","SNYK-PYTHON-COOKIECUTTER-2414281"],"modified":"2022-06-08T10:35:31.256727Z","published":"2022-06-08T08:15:00Z","references":[{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281"},{"type":"FIX","url":"https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77"},{"type":"WEB","url":"https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1"}],"affected":[{"package":{"name":"cookiecutter","ecosystem":"PyPI","purl":"pkg:pypi/cookiecutter"},"ranges":[{"type":"GIT","repo":"https://github.com/cookiecutter/cookiecutter","events":[{"introduced":"0"},{"fixed":"fdffddb31fd2b46344dfa317531ff155e7999f77"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.1"}]}],"versions":["0.1","0.2","0.2.1","0.3","0.4","0.5","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.7.0","0.7.1","0.7.2","0.8.0","0.9.0","0.9.1","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.5.0","1.5.1","1.6.0","1.7.0","1.7.1","1.7.2","1.7.3","2.1.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/cookiecutter/PYSEC-2022-204.yaml"}}],"schema_version":"1.2.0"}]}
All possible ecosystems are found here https://osv.dev/list?ecosystem=&q=
Things to do:
- Implement the feature to integrate collecting vulnerabilities for Artifacts and projects (based on Python, NPM)
