Skip to content

libpkg add: OSVF parser #2453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

libpkg add: OSVF parser #2453

wants to merge 1 commit into from

Conversation

illuusio
Copy link

Open Source Vulnerability format is widely used format to exchange vulnerability information between variable systems.

Commit adds OSVF parser to libpkg and also introduces test for making sure that it working correctly.

Parser uses schema JSON from https://ossf.github.io/osv-schema/ to make sure that OSVF files are correctly formatted. Current parser only supports latest Schema and version.

@illuusio illuusio force-pushed the add_osvf_to_libpkg branch from bb1374a to 3b905d2 Compare May 29, 2025 06:39
@bapt
Copy link
Member

bapt commented Jun 3, 2025

note there are 2 tests failures on debian:
Result: failed: /home/build/pkg/tests/lib/pkg_osvf.c:200: obj != NULL not met

bapt
bapt reviewed Jun 3, 2025
View reviewed changes
bapt
bapt reviewed Jun 3, 2025
View reviewed changes
bapt
bapt reviewed Jun 3, 2025
View reviewed changes
bapt
bapt reviewed Jun 3, 2025
View reviewed changes
bapt
bapt reviewed Jun 3, 2025
View reviewed changes
libpkg/pkg_osvf.c Outdated
unsigned int
pkg_osvg_get_ecosystem(const char *ecosystem)
{
if(strncmp(ecosystem, "AlmaLinux", 8) == 0)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it will probably be more maintainable, to have a struct ecomapping [] = { { "AlmaLinux", OSVF_ECOSYSTEM_ALMALINUX} , ... }; and we loop on the all entries. the day we have a new entry it is easier to append

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd use a hash table here tbh instead of a loop.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also how will we keep this up to date over time as new ones are added?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't looked what this is used for, but maybe we can just cherrypick the one we are interested in.

Copy link
Author

@illuusio illuusio Jun 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll implement full parser for Affected fields as they can be like Ubuntu:Pro:18.04:LTS or Red Hat:rhel_aus:8.4::appstream. For FreeBSD there would be namespaces like: FreeBSD:ports, FreeBSD:kernel:14.3 and FreeBSD:src:14.3?

bapt
bapt reviewed Jun 3, 2025
View reviewed changes
libpkg/pkg_osvf.c
unsigned int
pkg_osvg_get_reference(const char *reference_type)
{

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same a mapping struct would be more maintainable

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one I didn't understand. Is it that you feed struct to that or make new struct for this one?

bapt
bapt reviewed Jun 3, 2025
View reviewed changes
bapt
bapt reviewed Jun 3, 2025
View reviewed changes
bapt
bapt reviewed Jun 3, 2025
View reviewed changes
bapt
bapt reviewed Jun 3, 2025
View reviewed changes
vstakhov
vstakhov reviewed Jun 3, 2025
View reviewed changes
Copy link
Member

@vstakhov vstakhov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are many places where types checks and NULL checks are strongly advised when you work with ucl objects.

libpkg/pkg_osvf.c Outdated
unsigned int
pkg_osvg_get_ecosystem(const char *ecosystem)
{
if(strncmp(ecosystem, "AlmaLinux", 8) == 0)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd use a hash table here tbh instead of a loop.

@illuusio illuusio force-pushed the add_osvf_to_libpkg branch from 3b905d2 to 169d6a5 Compare June 10, 2025 12:27
@illuusio
libpkg add: OSVF parser
64becb6 
Open Source Vulnerability format is widely
used format to exchage vulnerability information
between variable systems.

Commit adds OSVF parser to libpkg and
also introduces test for making sure that
it working correctly.

Parser uses schema JSON from
https://ossf.github.io/osv-schema/ to make sure
that OSVF files are correctly formated. Current
parser only supports latest Schema and version.

Sponsored by: FreeBSD Foundation
@illuusio illuusio force-pushed the add_osvf_to_libpkg branch from 169d6a5 to 64becb6 Compare June 10, 2025 14:06
@illuusio
Copy link
Author

note there are 2 tests failures on debian: Result: failed: /home/build/pkg/tests/lib/pkg_osvf.c:200: obj != NULL not met

I was using wrong macro here. Correct one for Kyua and atf absolute path is: @abs_top_srcdir@ to load some file from disk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bapt bapt bapt left review comments

@vstakhov vstakhov vstakhov left review comments

@emaste emaste emaste left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@illuusio @bapt @vstakhov @emaste