-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to query the API for vulnerabilities in a Git repo? #2576
Comments
The way to query by git repos is to query by the commit SHA. e..g.
(c7f810a76ca88ff28613fa165927e0269255aab0 is the commit for https://github.com/capnproto/capnproto/releases/tag/v1.0.1) However, this is returning 0 results. This is because of #1910 (comment) and us not doing cherrypick detection by default for our CVE source. |
In the case of https://osv.dev/vulnerability/CVE-2023-48230, it's because the record doesn't include capnproto/capnproto@5d5d734 (another cherrypicked variant of the fix) Our cherrypick detection does detect this case ( |
Thanks! I really couldn't understand directly from the documentation if the commit object was inclusive (i.e. all dependent and ancestor commits and the graph is known so you can tell if any commit vulnerable) or if it was only intended to be specified on release objects, or what have you. I think I likely did try what you suggested but got zero results, which made it seem even stranger, like the endpoint call was wrong. Probably just a little more docs on the v1/query page would have helped here. Thanks for tracking the capnproto bug, too! |
Feel free to send us a PR for an improvement that would have made them better for someone like yourself. |
This issue has not had any activity for 60 days and will be automatically closed in two weeks See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out. |
I am using Cap'n Proto, a relatively niche library but one that has had a CVE or two.
Consider https://osv.dev/vulnerability/CVE-2023-48230 — how can I find this via an API query, given the version or Git commit of the upstream https://github.com/capnproto/capnproto/ repository for the package I'm using? Let's say it's 1.0.1, so it should be vulnerable to this CVE? How can I query that?
Things I've tried:
ecosystem=GIT
in the API request and querying for the repo as the name of the package. This always returnsInvalid ecosystem.
withcode=3
— for examplehttp https://api.osv.dev/v1/query package[name]="https://github.com/capnproto/capnproto" package[ecosystem]=GIT
pkg:github
, but it returns nothing no matter what — for examplehttp https://api.osv.dev/v1/query package[purl]=pkg:github/capnproto/capnproto
(
http
is HTTPie, which is just a simpler way to write JSON requests than cURL.)Neither of these seem to work; the actual Python app running the frontend seems to be using its own search index in the background which isn't exposed to the API?
Cap'n Proto is not the only relevant example. I would also like to query for:
pkg:debian
, etc)Neither of these have
pkg:generic
PURL specifiers it seems, so I can't refer to them.zlib
is the more relevant of the two since I'm in the same boat there; if I have version 1.3.1, how can I query against the repository? I guess in thezlib
case I can piggyback onpkg:debian
, but in the mimalloc case it seems I'm SOL.The text was updated successfully, but these errors were encountered: