How to query the API for vulnerabilities in a Git repo? #2576
Comments
|
The way to query by git repos is to query by the commit SHA. e..g. (c7f810a76ca88ff28613fa165927e0269255aab0 is the commit for https://github.com/capnproto/capnproto/releases/tag/v1.0.1) However, this is returning 0 results. This is because of #1910 (comment) and us not doing cherrypick detection by default for our CVE source. |
|
In the case of https://osv.dev/vulnerability/CVE-2023-48230, it's because the record doesn't include capnproto/capnproto@5d5d734 (another cherrypicked variant of the fix) Our cherrypick detection does detect this case ( |
|
Thanks! I really couldn't understand directly from the documentation if the commit object was inclusive (i.e. all dependent and ancestor commits and the graph is known so you can tell if any commit vulnerable) or if it was only intended to be specified on release objects, or what have you. I think I likely did try what you suggested but got zero results, which made it seem even stranger, like the endpoint call was wrong. Probably just a little more docs on the v1/query page would have helped here. Thanks for tracking the capnproto bug, too! |
Feel free to send us a PR for an improvement that would have made them better for someone like yourself. |
I am using Cap'n Proto, a relatively niche library but one that has had a CVE or two.
Consider https://osv.dev/vulnerability/CVE-2023-48230 — how can I find this via an API query, given the version or Git commit of the upstream https://github.com/capnproto/capnproto/ repository for the package I'm using? Let's say it's 1.0.1, so it should be vulnerable to this CVE? How can I query that?
Things I've tried:
ecosystem=GITin the API request and querying for the repo as the name of the package. This always returnsInvalid ecosystem.withcode=3— for examplehttp https://api.osv.dev/v1/query package[name]="https://github.com/capnproto/capnproto" package[ecosystem]=GITpkg:github, but it returns nothing no matter what — for examplehttp https://api.osv.dev/v1/query package[purl]=pkg:github/capnproto/capnproto(
httpis HTTPie, which is just a simpler way to write JSON requests than cURL.)Neither of these seem to work; the actual Python app running the frontend seems to be using its own search index in the background which isn't exposed to the API?
Cap'n Proto is not the only relevant example. I would also like to query for:
pkg:debian, etc)Neither of these have
pkg:genericPURL specifiers it seems, so I can't refer to them.zlibis the more relevant of the two since I'm in the same boat there; if I have version 1.3.1, how can I query against the repository? I guess in thezlibcase I can piggyback onpkg:debian, but in the mimalloc case it seems I'm SOL.The text was updated successfully, but these errors were encountered: