osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Search using CVE

Open ArkaprabhaChakraborty opened this issue 9 months ago • 8 comments

Is your feature request related to a problem? Please describe. Currently I see there are no way to search via CVE which IDs might have the related CVE in their alias. A search option via the CVE would be really helpful too. This would also help in identifying the packages affected by a CVE and know the similar CVEs associated with it (which is basically the goal of the OSV ID).

Describe the solution you'd like An extra search feature to search using CVE. Example: vulnerablecode

ArkaprabhaChakraborty avatar Mar 21 '25 06:03 ArkaprabhaChakraborty

If possible I would like to work on it.

ArkaprabhaChakraborty avatar Mar 21 '25 06:03 ArkaprabhaChakraborty

This would be valuable functionality. Feel free to work on it, it might be challenging without direct GCP infrastructure access, and it might require Datastore changes that are difficult to reason about without that GCP infrastructure access, but there's only one way to find out...

andrewpollock avatar Mar 21 '25 06:03 andrewpollock

it might be challenging without direct GCP infrastructure access, and it might require Datastore changes that are difficult to reason about without that GCP infrastructure access

Yep I did think about it. At first I thought let's just build a python automation script for my own which fetches the jsons and finds the CVEs but then I thought how do I get the IDs in the first place? So to solve it we need this feature up in osv.dev database, website and API.

I saw sometimes there are CVEs referenced like: https://osv.dev/vulnerability/CVE-2025-24813 but not all of them are always present.

ArkaprabhaChakraborty avatar Mar 21 '25 07:03 ArkaprabhaChakraborty

I saw sometimes there are CVEs referenced like: https://osv.dev/vulnerability/CVE-2025-24813 but not all of them are always present.

It depends on if they converted successfully

andrewpollock avatar Mar 21 '25 07:03 andrewpollock

Right! I saw apache tomcat present but apache ofbiz absent as ofbiz is not in maven central repo for some reason.

ArkaprabhaChakraborty avatar Mar 21 '25 07:03 ArkaprabhaChakraborty

Hey, just to confirm - is this for the website search or the API? Specifically speaking for the website here: searching by alias should already be possible: https://github.com/google/osv.dev/blob/435d4e5c70b4c2dfe7693adc4aabc73437503c4e/osv/models.py#L369C3-L373C53

but, from playing around with those IDs, I can tell that this isn't consistent. I think its a bug in which that above section isn't actually being triggered for some vulnerability entries. I'll have a look into it! Thanks for bringing this up!

Adding related/upstream should be as simple as adding them to the search indices as well, assuming the above bug can be fixed :)

If you want to attempt this, this is a great opportunity to test whether #3229 works for testing frontend changes without infra access. Happy to discuss more about getting this working.

jess-lowe avatar Mar 23 '25 23:03 jess-lowe

Thanks @jess-lowe ! I would take a look into it!

ArkaprabhaChakraborty avatar Mar 24 '25 04:03 ArkaprabhaChakraborty

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar May 23 '25 04:05 github-actions[bot]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Jul 22 '25 06:07 github-actions[bot]