Hello, I maybe wrong where to report this issue but let me try.

CAN-2022-1000071 in https://osv-vulnerabilities.storage.googleapis.com/GSD/all.zip violates the OSV schema.

{
  "id": "CAN-2022-1000071",
  "summary": "Default Credentials in XB6 Fibre+ Gateway version XB6_0821",
  "details": "In Shaw Communications Inc XB6 Fibre+ Gateway version XB6_0821 a Default Credentials exists in the Router/Modem that can be attacked via local access resulting in Admin access to router",
  "modified": "2022-02-01T19:38:14.238938Z",
  "published": "2022-02-01T19:38:14.238938Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://support.shaw.ca/t5/internet-articles/guide-fibre-gateway-xb6-xb7/ta-p/5114"
    },
    {
      "type": "WEB"
    }
  ],
  "affected": [
    {
      "package": {
        "name": "XB6 Fibre+ Gateway",
        "ecosystem": "GSD"
      },
      "versions": [
        "XB6_0821"
      ],
      "database_specific": {
        "source": "https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1000xxx/GSD-2022-1000071.json"
      }
    }
  ],
  "schema_version": "1.3.0"
}

reference (in references) should have url but not. I cannot find the original data source. So maybe there is something wrong the original data side not osv.dev side.

Bumps google-cloud-logging from 2.1.0 to 3.1.2.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

I've recently done an initial implementation for having osv-detector use the osv.dev api, but it looks like it's not 1:1 with the offline databases, at least for Packagist.

{
    "_readme": [
        "This file locks the dependencies of your project to a known state",
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
    "content-hash": "b63765525e5fabcf664728d548ecf8a2",
    "packages": [
        {
            "name": "enshrined/svg-sanitize",
            "version": "0.13.3",
            "source": {
                "type": "git",
                "url": "https://github.com/darylldoyle/svg-sanitizer.git",
                "reference": "bc66593f255b7d2613d8f22041180036979b6403"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/bc66593f255b7d2613d8f22041180036979b6403",
                "reference": "bc66593f255b7d2613d8f22041180036979b6403",
                "shasum": ""
            },
            "require": {
                "ext-dom": "*",
                "ext-libxml": "*"
            },
            "require-dev": {
                "codeclimate/php-test-reporter": "^0.1.2",
                "phpunit/phpunit": "^6"
            },
            "type": "library",
            "autoload": {
                "psr-4": {
                    "enshrined\\svgSanitize\\": "src"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "GPL-2.0-or-later"
            ],
            "authors": [
                {
                    "name": "Daryll Doyle",
                    "email": "[email protected]"
                }
            ],
            "description": "An SVG sanitizer for PHP",
            "time": "2020-01-20T01:34:17+00:00"
        }
    ],
    "packages-dev": [],
    "aliases": [],
    "minimum-stability": "stable",
    "stability-flags": [],
    "prefer-stable": false,
    "prefer-lowest": false,
    "platform": [],
    "platform-dev": []
}

❯ osv-detector-t --use-api --parse-as composer.lock /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
/mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt: found 1 package
  no known vulnerabilities found

❯ osv-detector-t --use-dbs --parse-as composer.lock /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
/mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt: found 1 package
  Loading OSV databases for the following ecosystems:
    Packagist (862 vulnerabilities, including withdrawn - last updated Fri, 13 May 2022 23:58:47 GMT)

  enshrined/[email protected] is affected by the following vulnerabilities:
    GHSA-fqx8-v33p-4qcc: Cross-site Scripting in enshrined/svg-sanitize (https://github.com/advisories/GHSA-fqx8-v33p-4qcc)

  1 known vulnerability found in /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt

The vulnerability here correctly lists says it affects versions below 0.15.0, but it's not reported even if I use the version:

❯ curl -X POST -d '{"commit": "bc66593f255b7d2613d8f22041180036979b6403"}' 'https://api.osv.dev/v1/query'
{}
❯ curl -X POST -d '{"package": {"name": "enshrined/svg-sanitize"}, "version": "0.13.3"}' 'https://api.osv.dev/v1/query'
{}
❯ curl -X POST -d '{"package": {"name": "enshrined/svg-sanitize", "ecosystem": "Packagist"}, "version": "0.13.3"}' 'https://api.osv.dev/v1/query'
{}

Going with the lowest version for this package doesn't return anything either, when it should return three vulnerabilities.

(my current theory is that this because the advisory doesn't have any versions, and the api isn't checking against ranges?)

A bulk query API would allow developers to more easily query the API without hitting rate limits. It would also help with scenarios like #257, where an SBOM will contain many dependencies.

Bumps certifi from 2022.9.24 to 2022.12.7.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Fixes #770 When loading a osv schema, be more strict on what is allowed by first checking the imported osv.json against the schema.

• Do this validation when loading
• Fix issue where EVIDENCE is not an entry in vulnerability.proto
• Update worker and importer tests to actually test against valid osv entries
  • Add modified date to yaml test cases
    • YAML has weird importing where datetime is converted into datetime.datetime python object instead of str. Add code to account for that.
• Add osv-schema as a submodule
• Add symbolic link to osv validation schema
• Manually copy over validation schema in docker container to avoid issues with symbolic links

Before merging:

A potentially large number of bucket entries might not be valid osv, we probably need to make a decision on how to deal with them.

• Probably spin up the testing environment to see how many entries are actually rejected.
• Determine behavior for what to do to handle invalid entries that's already in osv's database #771

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

Detected Package Files

• cloudbuild.yaml (cloudbuild)
• vulnfeeds/cloudbuild.yaml (cloudbuild)
• vulnfeeds/pypi/cloudbuild.yaml (cloudbuild)
• actions/analyze/Dockerfile (dockerfile)
• docker/ci/Dockerfile (dockerfile)
• docker/deployment/Dockerfile (dockerfile)
• docker/exporter/Dockerfile (dockerfile)
• docker/importer/Dockerfile (dockerfile)
• docker/indexer/Dockerfile (dockerfile)
• docker/worker/Dockerfile (dockerfile)
• gcp/api/Dockerfile (dockerfile)
• vulnfeeds/cmd/alpine/Dockerfile (dockerfile)
• vulnfeeds/cmd/combine-to-osv/Dockerfile (dockerfile)
• .github/workflows/codeql-analysis.yml (github-actions)
• .github/workflows/lint.yaml (github-actions)
• .github/workflows/publish-to-pypi.yaml (github-actions)
• .github/workflows/scorecards.yml (github-actions)
• docker/indexer/go.mod (gomod)
• docs/go.mod (gomod)
• tools/osv-scanner/go.mod (gomod)
• vulnfeeds/go.mod (gomod)
• gcp/appengine/frontend3/package.json (npm)
• Pipfile (pipenv)
• docker/worker/Pipfile (pipenv)
• gcp/api/Pipfile (pipenv)
• gcp/appengine/Pipfile (pipenv)
• gcp/functions/pypi/Pipfile (pipenv)

Configuration

🔡 Renovate has detected a custom config for this PR. Feel free to ask for help if you have any doubts and would like it reviewed.

Important: Now that this branch is edited, Renovate can't rebase it from the base branch any more. If you make changes to the base branch that could impact this onboarding PR, please merge them manually.

What to Expect

With your current configuration, Renovate will create 9 Pull Requests:

🚸 Branch creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or spam the project. See docs for prhourlylimit for details.

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section. If you need any further assistance then you can also request help here.

This PR has been generated by Mend Renovate. View repository job log here.

Support to identify package with package url would be nice and it will be easy to integrate with other tool chain. https://github.com/package-url/purl-spec

Betterscan CE is a Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC). Supports major programming and Cloud stacks.

Now with added OSV Scanner it will scan SBOM and dependencies vulnerabilities.

Great work!

More in the project repo and website.

Feel free to contact me in case of any questions.

Thanks,

P.S Maybe you can sort the list alphabetically

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | a12a394 -> 1f9a0c2 | | actions/upload-artifact | action | digest | 3cea537 -> 83fd05a | | ossf/scorecard-action | action | digest | 08dd0ce -> 066a051 | | pypa/gh-action-pypi-publish | action | digest | 37f50c2 -> 5fb2f04 |

Configuration

📅 Schedule: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@alex reported this upstream to pip-audit:

pip-audit -r <(echo 'markdown2==2.4.2') --no-deps

Produces:

Found 1 known vulnerability in 1 package
Name      Version ID                  Fix Versions
--------- ------- ------------------- ------------
markdown2 2.4.2   GHSA-p6h9-gw49-rqm4

But GHSA-p6h9-gw49-rqm4 isn't valid for 2.4.2 (it's only valid for <2.3.6): https://github.com/advisories/GHSA-p6h9-gw49-rqm4

It looks like OSV has both GHSA-p6h9-gw49-rqm4 and its CVE alias, but with a missing "version fixed" for the GHSA version: https://osv.dev/list?ecosystem=&q=CVE-2018-5773

cc @di as well for visibility.

The integration tests can randomly fail because they're operating on live data that can change unexpectedly. This results in tests failing on a PR through no fault of the code in the PR. We already run the integration tests on every commit, so it's just a matter of surfacing those failures to the people who can do something about them.

The table of prefixes at https://ossf.github.io/osv-schema/ is the most canonical documentation we have for current sources of vulnerabilities that OSV uses.

Expand this to include a point of contact or feedback channel in the event of receiving questionable data. One possibility is a page per source, and a link to that page from each row of this table.

We saw some brittleness with https://github.com/google/osv.dev/blob/69c1d3817f8759ff3e294d629383f5dc6fcc2dc0/osv/ecosystems.py#L559 today, which impacted tests, but the code under test is where the brittleness lay.

Using a local replica of https://wiki.debian.org/UltimateDebianDatabase may be a more reliable solution if this continues to crop up.

The osv.dev advisory for CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable, but they are not vulnerable because they were fixed by CVE-2017-12613.

Explanation

Based on information from this patch: https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch

CVE-2021-35940 is actually the same issue as CVE-2017-12613. However, because this issue regressed in apr-1.7.0, a new CVE-ID was assigned.

However, the above patch mentions that CVE-2017-12613 was fixed in apr-1.6.3 and later, which means that apr-1.6.3 and apr-1.6.5 are not vulnerable.

I'm not sure what the solution to this is, but maybe it's adding a fixed attribute for 1.6.3 and an alias of CVE-2017-12613, depending on how the logic computes vulnerable versions.

e.g. https://osv.dev/v/PYSEC-foo should redirect to the full https://osv.dev/vulnerability/PYSEC-foo.

This can help with osv-scanner's human readable output, where horizontal space is a premium.