HomeLab/ForgeBucket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
2d6aabab9f1d453e9b48bbe5685d1629471897da
ForgeBucket/internal/domain/vulnscan/osv.go
T
erangel1 91462500f0 added artifacts
2026-05-12 22:34:26 +02:00

141 lines
3.6 KiB
Go
Raw Blame History

package vulnscan
import (
"bytes"
"encoding/json"
"fmt"
"io"
"net/http"
"time"
)
const defaultOSVAPI = "https://api.osv.dev/v1"
// Client queries the OSV (Open Source Vulnerabilities) API.
// https://osv.dev/docs/
type Client struct {
baseURL string
http *http.Client
}
// NewClient creates a client that queries the public OSV API.
func NewClient() *Client {
return &Client{
baseURL: defaultOSVAPI,
http: &http.Client{
Timeout: 30 * time.Second,
},
}
}
// QueryRequest is sent to POST /v1/query.
type QueryRequest struct {
Package PackageID `json:"package"`
Version string `json:"version"`
}
// PackageID identifies a package in a specific ecosystem.
type PackageID struct {
PURL string `json:"purl,omitempty"`
Name string `json:"name,omitempty"`
Ecosystem string `json:"ecosystem,omitempty"`
}
// QueryResponse is the response from POST /v1/query.
type QueryResponse struct {
Vulns []OSVVuln `json:"vulns"`
}
// OSVVuln is a vulnerability returned by the OSV API.
type OSVVuln struct {
ID string `json:"id"`
Summary string `json:"summary"`
Details string `json:"details"`
Aliases []string `json:"aliases"`
Fixed string `json:"fixed,omitempty"`
Severity []Severity `json:"severity,omitempty"`
Affected []Affected `json:"affected,omitempty"`
Published string `json:"published,omitempty"`
Modified string `json:"modified,omitempty"`
}
// Severity holds a CVSS score from the OSV response.
type Severity struct {
Type string `json:"type"`
Score string `json:"score"`
}
// Affected describes a package version range.
type Affected struct {
Package PackageID `json:"package"`
Ranges []AffectedRange `json:"ranges"`
Versions []string `json:"versions"`
}
type AffectedRange struct {
Type string `json:"type"`
Events []RangeEvent `json:"events"`
}
type RangeEvent struct {
Introduced string `json:"introduced"`
Fixed string `json:"fixed"`
Limit string `json:"limit"`
}
// QueryByPURL queries OSV for vulnerabilities affecting a given PURL + version.
func (c *Client) QueryByPURL(purl, version string) ([]OSVVuln, error) {
body := QueryRequest{
Package: PackageID{PURL: purl},
Version: version,
}
return c.doQuery(body)
}
// QueryByEcosystem queries OSV for vulnerabilities affecting a package in a
// specific ecosystem (e.g. "npm", "Go", "PyPI", "cargo", "Maven", "RubyGems").
func (c *Client) QueryByEcosystem(ecosystem, name, version string) ([]OSVVuln, error) {
body := QueryRequest{
Package: PackageID{
Name: name,
Ecosystem: ecosystem,
},
Version: version,
}
return c.doQuery(body)
}
func (c *Client) doQuery(body interface{}) ([]OSVVuln, error) {
payload, err := json.Marshal(body)
if err != nil {
return nil, fmt.Errorf("vulnscan: marshal body: %w", err)
}
req, err := http.NewRequest(http.MethodPost, c.baseURL+"/query", bytes.NewReader(payload))
if err != nil {
return nil, fmt.Errorf("vulnscan: create request: %w", err)
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Accept", "application/json")
resp, err := c.http.Do(req)
if err != nil {
return nil, fmt.Errorf("vulnscan: query: %w", err)
}
defer resp.Body.Close()
respBody, err := io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("vulnscan: read response: %w", err)
}
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("vulnscan: OSV returned %d: %s", resp.StatusCode, string(respBody))
}
var qr QueryResponse
if err := json.Unmarshal(respBody, &qr); err != nil {
return nil, fmt.Errorf("vulnscan: parse response: %w", err)
}
return qr.Vulns, nil
}
Reference in New Issue View Git Blame Copy Permalink