Description
I am using Cap'n Proto, a relatively niche library but one that has had a CVE or two.
Consider https://osv.dev/vulnerability/CVE-2023-48230 — how can I find this via an API query, given the version or Git commit of the upstream https://github.com/capnproto/capnproto/ repository for the package I'm using? Let's say it's 1.0.1, so it should be vulnerable to this CVE? How can I query that?
Things I've tried:
- Setting
ecosystem=GITin the API request and querying for the repo as the name of the package. This always returnsInvalid ecosystem.withcode=3— for examplehttp https://api.osv.dev/v1/query package[name]="https://github.com/capnproto/capnproto" package[ecosystem]=GIT - Using PURL specification since the spec mentioned a hypothetical
pkg:github, but it returns nothing no matter what — for examplehttp https://api.osv.dev/v1/query package[purl]=pkg:github/capnproto/capnproto
(http is HTTPie, which is just a simpler way to write JSON requests than cURL.)
Neither of these seem to work; the actual Python app running the frontend seems to be using its own search index in the background which isn't exposed to the API?
Cap'n Proto is not the only relevant example. I would also like to query for:
- https://github.com/microsoft/mimalloc (no reports to date)
- https://github.com/madler/zlib (several real reports, but most hits are actually under
pkg:debian, etc)
Neither of these have pkg:generic PURL specifiers it seems, so I can't refer to them. zlib is the more relevant of the two since I'm in the same boat there; if I have version 1.3.1, how can I query against the repository? I guess in the zlib case I can piggyback on pkg:debian, but in the mimalloc case it seems I'm SOL.