use deps.dev as primary check source

ossf · Dec 19, 2024 · 730f1e5 · 730f1e5
1 parent a203cc3
commit 730f1e5
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 30 deletions.
diff --git a/tools/osv-linter/internal/pkgchecker/package_check.go b/tools/osv-linter/internal/pkgchecker/package_check.go
@@ -15,21 +15,59 @@ func existsInCrates(pkg string) bool {
 		return true
 	}
 
-	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs["crates.io"], pkg)
+	ecosystem := "crates.io"
+	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs[ecosystem], pkg)
+
+	if isPackageInDepsDev(ecosystem, pkg) {
+		return true
+	}
+
+	return checkPackageExists(packageInstanceURL)
+}
+
+// Validate the existence of a package in Go.
+func existsInGo(pkg string) bool {
+	// Of course the Go runtime exists :-)
+	if pkg == "stdlib" || pkg == "toolchain" {
+		return true
+	}
+
+	// The Go Module Proxy seems to require package names to be lowercase.
+	// GitHub URLs are known to be case-insensitive.
+	if strings.HasPrefix(pkg, "github.com/") {
+		pkg = strings.ToLower(pkg)
+	}
+
+	ecosystem := "Go"
+	packageInstanceURL := fmt.Sprintf("%s/%s/@v/list", EcosystemBaseURLs[ecosystem], pkg)
+
+	if isPackageInDepsDev(ecosystem, pkg) {
+		return true
+	}
 
 	return checkPackageExists(packageInstanceURL)
 }
 
 // Validate the existence of a package in npm.
 func existsInNpm(pkg string) bool {
-	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs["npm"], pkg)
+	ecosystem := "npm"
+	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs[ecosystem], pkg)
+
+	if isPackageInDepsDev(ecosystem, pkg) {
+		return true
+	}
 
 	return checkPackageExists(packageInstanceURL)
 }
 
 // Validate the existence of a package in NuGet.
 func existsInNuget(pkg string) bool {
-	packageInstanceURL := fmt.Sprintf("%s/%s/index.json", EcosystemBaseURLs["NuGet"], pkg)
+	ecosystem := "NuGet"
+	packageInstanceURL := fmt.Sprintf("%s/%s/index.json", EcosystemBaseURLs[ecosystem], pkg)
+
+	if isPackageInDepsDev(ecosystem, pkg) {
+		return true
+	}
 
 	return checkPackageExists(packageInstanceURL)
 }
@@ -48,6 +86,18 @@ func existsInPackagist(pkg string) bool {
 	return checkPackageExists(packageInstanceURL)
 }
 
+// Validate the existence of a package in PyPI.
+func existsInPyPI(pkg string) bool {
+	ecosystem := "PyPI"
+	packageInstanceURL := fmt.Sprintf("%s/%s/json", EcosystemBaseURLs[ecosystem], strings.ToLower(pkg))
+
+	if isPackageInDepsDev(ecosystem, pkg) {
+		return true
+	}
+
+	return checkPackageExists(packageInstanceURL)
+}
+
 // Validate the existence of a package in Pub.
 func existsInPub(pkg string) bool {
 	packageInstanceURL := fmt.Sprintf("%s/%s", EcosystemBaseURLs["Pub"], pkg)
@@ -69,7 +119,13 @@ func existsInMaven(pkg string) bool {
 	}
 	group_id := strings.Split(pkg, ":")[0]
 	artifact_id := strings.Split(pkg, ":")[1]
-	packageInstanceURL := fmt.Sprintf("%s/?q=g:%s%%20AND%%20a:%s", EcosystemBaseURLs["Maven"], group_id, artifact_id)
+
+	ecosystem := "Maven"
+	packageInstanceURL := fmt.Sprintf("%s/?q=g:%s%%20AND%%20a:%s", EcosystemBaseURLs[ecosystem], group_id, artifact_id)
+
+	if isPackageInDepsDev(ecosystem, pkg) {
+		return true
+	}
 
 	// Needs to use GET instead of HEAD for Maven
 	resp, err := faulttolerant.Get(packageInstanceURL)
@@ -80,31 +136,6 @@ func existsInMaven(pkg string) bool {
 	return resp.StatusCode == http.StatusOK
 }
 
-// Validate the existence of a package in PyPI.
-func existsInPyPI(pkg string) bool {
-	packageInstanceURL := fmt.Sprintf("%s/%s/json", EcosystemBaseURLs["PyPI"], strings.ToLower(pkg))
-
-	return checkPackageExists(packageInstanceURL)
-}
-
-// Validate the existence of a package in Go.
-func existsInGo(pkg string) bool {
-	// Of course the Go runtime exists :-)
-	if pkg == "stdlib" || pkg == "toolchain" {
-		return true
-	}
-
-	// The Go Module Proxy seems to require package names to be lowercase.
-	// GitHub URLs are known to be case-insensitive.
-	if strings.HasPrefix(pkg, "github.com/") {
-		pkg = strings.ToLower(pkg)
-	}
-
-	packageInstanceURL := fmt.Sprintf("%s/%s/@v/list", EcosystemBaseURLs["Go"], pkg)
-
-	return checkPackageExists(packageInstanceURL)
-}
-
 // Makes an HTTP GET request to check package existance, with fault tolerance.
 func checkPackageExists(packageInstanceURL string) bool {
 	// This 404's for non-existent packages.
@@ -115,3 +146,8 @@ func checkPackageExists(packageInstanceURL string) bool {
 
 	return resp.StatusCode == http.StatusOK
 }
+
+func isPackageInDepsDev(ecosystem string, pkg string) bool {
+	url := fmt.Sprintf("https://api.deps.dev/v3/systems/%s/packages/%s", ecosystem, pkg)
+	return checkPackageExists(url)
+}
diff --git a/tools/osv-linter/internal/pkgchecker/package_check_test.go b/tools/osv-linter/internal/pkgchecker/package_check_test.go
@@ -74,7 +74,7 @@ func Test_existsInNuget(t *testing.T) {
 	}{
 		{
 			name: "existing package",
-			pkg:  "Newtonsoft.Json",
+			pkg:  "System.Formats.Nrbf",
 			want: true,
 		},
 		{