brew-vulns 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d1e6ed689e85382d79c401a23c21c55e393038dba7b5f3ec52f90196904effe1
+  data.tar.gz: 55400c9cafeb368de7f8079363d0e46ae851e0f4cd16f4984139da655e84a36d
+SHA512:
+  metadata.gz: b2f086436e55e908a72b5e22b07e7890f99f5ff34a98c4db863f4121f3a7961f86036ca772e5a35d171beaa4c70f29425f5b224513c931f612a8ed3f183eeb0f
+  data.tar.gz: dd7ba735193a41955bca5e1a66cfc6340441bcf4baad3cca231b1490b51f0efede7436e1cb564eb6a02f889d682241ef4c73a904754121ea7080044abbf90931

data/.ruby-version

@@ -0,0 +1 @@
+4.0.0

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2026-01-08
+
+- Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,10 @@
+# Code of Conduct
+
+"brew-vulns" follows [The Ruby Community Conduct Guideline](https://www.ruby-lang.org/en/conduct) in all "collaborative space", which is defined as community communications channels (such as mailing lists, submitted patches, commit comments, etc.):
+
+* Participants will be tolerant of opposing views.
+* Participants must ensure that their language and actions are free of personal attacks and disparaging personal remarks.
+* When interpreting the words and actions of others, participants should always assume good intentions.
+* Behaviour which can be reasonably considered harassment will not be tolerated.
+
+If you have any concerns about behaviour within this project, please contact us at ["andrewnez@gmail.com"](mailto:"andrewnez@gmail.com").

data/Formula/brew-vulns.rb

@@ -0,0 +1,25 @@
+class BrewVulns < Formula
+  desc "Check Homebrew packages for known vulnerabilities via osv.dev"
+  homepage "https://github.com/andrew/brew-vulns"
+  url "https://github.com/andrew/brew-vulns/archive/refs/tags/v0.1.0.tar.gz"
+  sha256 "UPDATE_WITH_SHA256_AFTER_RELEASE"
+  license "MIT"
+
+  depends_on "ruby"
+
+  def install
+    ENV["GEM_HOME"] = libexec
+
+    system "git", "init"
+    system "git", "add", "."
+
+    system "gem", "build", "brew-vulns.gemspec"
+    system "gem", "install", "--no-document", "brew-vulns-#{version}.gem"
+    bin.install libexec/"bin/brew-vulns"
+    bin.env_script_all_files(libexec/"bin", GEM_HOME: ENV.fetch("GEM_HOME", nil))
+  end
+
+  test do
+    system bin/"brew-vulns", "--help"
+  end
+end

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Andrew Nesbitt
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,84 @@
+# brew-vulns
+
+A Homebrew subcommand that checks installed packages for known vulnerabilities using the [OSV.dev](https://osv.dev) database.
+
+## Installation
+
+Via Homebrew:
+
+```bash
+brew tap andrew/brew-vulns https://github.com/andrew/brew-vulns
+brew install brew-vulns
+```
+
+Or via RubyGems:
+
+```bash
+gem install brew-vulns
+```
+
+Once installed, the command is available as `brew vulns`.
+
+## Usage
+
+```bash
+# Check all installed packages
+brew vulns
+
+# Check a specific formula
+brew vulns openssl
+
+# Check a formula and its dependencies
+brew vulns python --deps
+
+# Output as JSON (useful for CI/CD)
+brew vulns --json
+
+# Show help
+brew vulns --help
+```
+
+## How it works
+
+1. Reads installed Homebrew formulae via `brew info --json=v2 --installed`
+2. Extracts the GitHub repository URL and version tag from each formula's source URL
+3. Queries the OSV API using the GIT ecosystem to find known vulnerabilities
+4. Reports any vulnerabilities found with their severity and CVE identifiers
+
+Only packages with GitHub source URLs can be checked. Packages from other sources are skipped.
+
+## Example output
+
+```
+Checking 104 packages for vulnerabilities...
+(119 packages skipped - no GitHub source URL)
+
+expat (2.7.3)
+  CVE-2025-66382 (HIGH) - XML parsing vulnerability...
+
+hdf5 (1.14.6)
+  OSV-2023-1091 (MEDIUM) - Buffer overflow in...
+  OSV-2023-1223 (MEDIUM) - ...
+
+Found 15 vulnerabilities in 3 packages
+```
+
+## Exit codes
+
+- `0` - No vulnerabilities found
+- `1` - Vulnerabilities found (or error occurred)
+
+This makes it suitable for use in CI/CD pipelines.
+
+## Development
+
+```bash
+git clone https://github.com/andrewnesbitt/brew-vulns
+cd brew-vulns
+bin/setup
+rake test
+```
+
+## License
+
+MIT License. See [LICENSE](LICENSE) for details.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+
+Minitest::TestTask.create
+
+task default: :test

data/exe/brew-vulns

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "brew/vulns"
+
+exit Brew::Vulns::CLI.run(ARGV)

data/lib/brew/vulns/cli.rb

@@ -0,0 +1,176 @@
+# frozen_string_literal: true
+
+module Brew
+  module Vulns
+    class CLI
+      def self.run(args)
+        new(args).run
+      end
+
+      def initialize(args)
+        @args = args
+        @formula_filter = args.first unless args.first&.start_with?("-")
+        @include_deps = args.include?("--deps") || args.include?("-d")
+        @json_output = args.include?("--json") || args.include?("-j")
+        @help = args.include?("--help") || args.include?("-h")
+      end
+
+      def run
+        if @help
+          print_help
+          return 0
+        end
+
+        formulae = load_formulae
+        if formulae.empty?
+          puts "No installed formulae found."
+          return 0
+        end
+
+        queryable = formulae.select(&:github?).select(&:tag)
+        skipped = formulae.size - queryable.size
+
+        unless @json_output
+          puts "Checking #{queryable.size} packages for vulnerabilities..."
+          puts "(#{skipped} packages skipped - no GitHub source URL)" if skipped > 0
+          puts
+        end
+
+        results = scan_vulnerabilities(queryable)
+        output_results(results, formulae)
+      rescue OsvClient::Error => e
+        $stderr.puts "Error querying OSV: #{e.message}"
+        1
+      rescue Error => e
+        $stderr.puts "Error: #{e.message}"
+        1
+      rescue JSON::ParserError => e
+        $stderr.puts "Error parsing brew output: #{e.message}"
+        1
+      end
+
+      private
+
+      def load_formulae
+        if @include_deps && @formula_filter
+          Formula.load_with_dependencies(@formula_filter)
+        else
+          Formula.load_installed(@formula_filter)
+        end
+      end
+
+      def scan_vulnerabilities(formulae)
+        client = OsvClient.new
+        queries = formulae.map(&:to_osv_query).compact
+
+        vuln_results = client.query_batch(queries)
+
+        results = {}
+        formulae.each_with_index do |formula, idx|
+          vulns = Vulnerability.from_osv_list(vuln_results[idx] || [])
+          results[formula] = vulns if vulns.any?
+        end
+
+        results
+      end
+
+      def output_results(results, all_formulae)
+        if @json_output
+          output_json(results)
+        else
+          output_text(results, all_formulae)
+        end
+      end
+
+      def output_json(results)
+        data = results.map do |formula, vulns|
+          {
+            formula: formula.name,
+            version: formula.version,
+            tag: formula.tag,
+            repo_url: formula.repo_url,
+            vulnerabilities: vulns.map do |v|
+              {
+                id: v.id,
+                severity: v.severity_display,
+                summary: v.summary,
+                aliases: v.aliases,
+                fixed_versions: v.fixed_versions
+              }
+            end
+          }
+        end
+
+        puts JSON.pretty_generate(data)
+        results.empty? ? 0 : 1
+      end
+
+      def output_text(results, all_formulae)
+        if results.empty?
+          puts "No vulnerabilities found."
+          return 0
+        end
+
+        total_vulns = 0
+        sorted = results.sort_by { |_, vulns| -vulns.map(&:severity_level).max }
+
+        sorted.each do |formula, vulns|
+          puts "#{formula.name} (#{formula.version})"
+          vulns.sort_by { |v| -v.severity_level }.each do |vuln|
+            total_vulns += 1
+            severity = colorize_severity(vuln.severity_display)
+
+            line = "  #{vuln.id} (#{severity})"
+            if vuln.summary
+              summary = vuln.summary.length > 60 ? "#{vuln.summary.slice(0, 60)}..." : vuln.summary
+              line = "#{line} - #{summary}"
+            end
+            puts line
+
+            if vuln.fixed_versions.any?
+              puts "    Fixed in: #{vuln.fixed_versions.join(", ")}"
+            end
+          end
+          puts
+        end
+
+        puts "Found #{total_vulns} vulnerabilities in #{results.size} packages"
+        1
+      end
+
+      def colorize_severity(severity)
+        return severity unless $stdout.tty?
+
+        case severity
+        when "CRITICAL" then "\e[1;31m#{severity}\e[0m"
+        when "HIGH" then "\e[31m#{severity}\e[0m"
+        when "MEDIUM" then "\e[33m#{severity}\e[0m"
+        when "LOW" then "\e[32m#{severity}\e[0m"
+        else severity
+        end
+      end
+
+      def print_help
+        puts <<~HELP
+          Usage: brew vulns [formula] [options]
+
+          Check installed Homebrew packages for known vulnerabilities via osv.dev.
+
+          Arguments:
+            formula          Check only this formula (optional)
+
+          Options:
+            -d, --deps       Include dependencies when checking a specific formula
+            -j, --json       Output results as JSON
+            -h, --help       Show this help message
+
+          Examples:
+            brew vulns                    Check all installed packages
+            brew vulns openssl            Check only openssl
+            brew vulns vim --deps         Check vim and its dependencies
+            brew vulns --json             Output as JSON for CI/CD
+        HELP
+      end
+    end
+  end
+end

data/lib/brew/vulns/formula.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require "json"
+require "open3"
+
+module Brew
+  module Vulns
+    class Formula
+      attr_reader :name, :version, :source_url, :head_url, :dependencies
+
+      def initialize(data)
+        @name = data["name"] || data["full_name"]
+        @version = data.dig("versions", "stable") || data["version"]
+        @source_url = data.dig("urls", "stable", "url")
+        @head_url = data.dig("urls", "head", "url")
+        @dependencies = data["dependencies"] || []
+      end
+
+      def repo_url
+        return @repo_url if defined?(@repo_url)
+
+        @repo_url = extract_repo_url(source_url) || extract_repo_url(head_url)
+      end
+
+      def tag
+        return @tag if defined?(@tag)
+
+        @tag = extract_tag_from_url(source_url)
+      end
+
+      def github?
+        repo_url&.include?("github.com")
+      end
+
+      def to_osv_query
+        return nil unless repo_url && tag
+
+        { repo_url: repo_url, version: tag, name: name }
+      end
+
+      def self.load_installed(formula_filter = nil)
+        json, status = Open3.capture2("brew", "info", "--json=v2", "--installed")
+        raise Error, "brew info failed with status #{status.exitstatus}" unless status.success?
+
+        data = JSON.parse(json)
+        formulae = data["formulae"].map { |f| new(f) }
+
+        if formula_filter
+          formulae.select! { |f| f.name == formula_filter || f.name.start_with?("#{formula_filter}@") }
+        end
+
+        formulae
+      end
+
+      def self.load_with_dependencies(formula_filter = nil)
+        json, status = Open3.capture2("brew", "info", "--json=v2", "--installed")
+        raise Error, "brew info failed with status #{status.exitstatus}" unless status.success?
+
+        data = JSON.parse(json)
+        all_formulae = data["formulae"].map { |f| new(f) }
+        formulae_by_name = all_formulae.each_with_object({}) { |f, h| h[f.name] = f }
+
+        if formula_filter
+          filtered = all_formulae.select { |f| f.name == formula_filter || f.name.start_with?("#{formula_filter}@") }
+          return [] if filtered.empty?
+
+          deps_output, = Open3.capture2("brew", "deps", "--installed", formula_filter)
+          dep_names = deps_output.split("\n").map(&:strip)
+
+          result = filtered.each_with_object({}) { |f, h| h[f.name] = f }
+          dep_names.each do |dep_name|
+            dep = formulae_by_name[dep_name]
+            result[dep_name] = dep if dep && !result[dep_name]
+          end
+
+          result.values
+        else
+          all_formulae
+        end
+      end
+
+      private
+
+      def extract_repo_url(url)
+        return nil unless url
+        return nil unless url.include?("github.com")
+
+        match = url.match(%r{https?://github\.com/([^/]+/[^/]+)})
+        if match
+          repo_path = match[1].sub(/\.git$/, "")
+          return "https://github.com/#{repo_path}"
+        end
+
+        nil
+      end
+
+      def extract_tag_from_url(url)
+        return nil unless url
+
+        patterns = [
+          %r{/archive/refs/tags/([^/]+)\.tar\.gz$},
+          %r{/archive/refs/tags/([^/]+)\.zip$},
+          %r{/archive/([^/]+)\.tar\.gz$},
+          %r{/archive/([^/]+)\.zip$},
+          %r{/releases/download/([^/]+)/},
+          %r{/tarball/([^/]+)$}
+        ]
+
+        patterns.each do |pattern|
+          match = url.match(pattern)
+          return match[1] if match
+        end
+
+        nil
+      end
+    end
+  end
+end

data/lib/brew/vulns/osv_client.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "json"
+require "uri"
+
+module Brew
+  module Vulns
+    class OsvClient
+      API_BASE = "https://api.osv.dev/v1"
+      BATCH_SIZE = 1000
+      OPEN_TIMEOUT = 10
+      READ_TIMEOUT = 30
+
+      class Error < StandardError; end
+      class ApiError < Error; end
+
+      def query(repo_url:, version:)
+        payload = {
+          package: {
+            name: repo_url,
+            ecosystem: "GIT"
+          },
+          version: version
+        }
+
+        response = post("/query", payload)
+        fetch_all_pages(response, payload)
+      end
+
+      def query_batch(packages)
+        return [] if packages.empty?
+
+        results = Array.new(packages.size) { [] }
+
+        packages.each_slice(BATCH_SIZE).with_index do |batch, batch_idx|
+          queries = batch.map do |pkg|
+            {
+              package: {
+                name: pkg[:repo_url],
+                ecosystem: "GIT"
+              },
+              version: pkg[:version]
+            }
+          end
+
+          response = post("/querybatch", { queries: queries })
+          batch_results = response["results"] || []
+
+          batch_results.each_with_index do |result, idx|
+            global_idx = batch_idx * BATCH_SIZE + idx
+            results[global_idx] = result["vulns"] || []
+          end
+        end
+
+        results
+      end
+
+      def get_vulnerability(vuln_id)
+        get("/vulns/#{URI.encode_uri_component(vuln_id)}")
+      end
+
+      def post(path, payload)
+        uri = URI("#{API_BASE}#{path}")
+        request = Net::HTTP::Post.new(uri)
+        request["Content-Type"] = "application/json"
+        request.body = JSON.generate(payload)
+
+        execute_request(uri, request)
+      end
+
+      def get(path)
+        uri = URI("#{API_BASE}#{path}")
+        request = Net::HTTP::Get.new(uri)
+        request["Content-Type"] = "application/json"
+
+        execute_request(uri, request)
+      end
+
+      def execute_request(uri, request)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = uri.scheme == "https"
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        http.open_timeout = OPEN_TIMEOUT
+        http.read_timeout = READ_TIMEOUT
+
+        response = http.request(request)
+
+        case response
+        when Net::HTTPSuccess
+          JSON.parse(response.body)
+        else
+          raise ApiError, "OSV API error: #{response.code} #{response.message}"
+        end
+      rescue JSON::ParserError => e
+        raise ApiError, "Invalid JSON response from OSV API: #{e.message}"
+      rescue Net::OpenTimeout, Net::ReadTimeout => e
+        raise ApiError, "OSV API timeout: #{e.message}"
+      rescue SocketError, Errno::ECONNREFUSED => e
+        raise ApiError, "OSV API connection error: #{e.message}"
+      rescue OpenSSL::SSL::SSLError => e
+        raise ApiError, "OSV API SSL error: #{e.message}"
+      end
+
+      def fetch_all_pages(response, original_payload)
+        vulns = response["vulns"] || []
+        page_token = response["next_page_token"]
+
+        while page_token
+          payload = original_payload.merge(page_token: page_token)
+          response = post("/query", payload)
+          vulns.concat(response["vulns"] || [])
+          page_token = response["next_page_token"]
+        end
+
+        vulns
+      end
+    end
+  end
+end

data/lib/brew/vulns/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Brew
+  module Vulns
+    VERSION = "0.1.0"
+  end
+end

data/lib/brew/vulns/vulnerability.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+module Brew
+  module Vulns
+    class Vulnerability
+      attr_reader :id, :summary, :details, :severity, :aliases, :references, :affected
+
+      def initialize(data)
+        @id = data["id"]
+        @summary = data["summary"]
+        @details = data["details"]
+        @aliases = data["aliases"] || []
+        @references = data["references"] || []
+        @affected = data["affected"] || []
+        @severity = extract_severity(data)
+      end
+
+      def severity_display
+        severity&.upcase || "UNKNOWN"
+      end
+
+      def severity_level
+        case severity&.downcase
+        when "critical" then 4
+        when "high" then 3
+        when "medium" then 2
+        when "low" then 1
+        else 0
+        end
+      end
+
+      def cve_ids
+        ([id] + aliases).select { |a| a.start_with?("CVE-") }
+      end
+
+      def advisory_url
+        ref = references.find { |r| r["type"] == "ADVISORY" }
+        ref&.dig("url")
+      end
+
+      def fix_urls
+        references.select { |r| r["type"] == "FIX" }.map { |r| r["url"] }
+      end
+
+      def fixed_versions
+        versions = []
+        affected.each do |aff|
+          (aff["ranges"] || []).each do |range|
+            (range["events"] || []).each do |event|
+              versions << event["fixed"] if event["fixed"]
+            end
+          end
+        end
+        versions.uniq
+      end
+
+      def self.from_osv_list(vulns_data)
+        vulns_data.map { |data| new(data) }
+      end
+
+      private
+
+      def extract_severity(data)
+        if data["severity"]&.any?
+          sev = data["severity"].first
+          if sev["score"]&.include?("CVSS")
+            return severity_from_cvss(sev["score"])
+          end
+        end
+
+        if data.dig("database_specific", "severity")
+          return normalize_severity(data.dig("database_specific", "severity"))
+        end
+
+        data["affected"]&.each do |aff|
+          db_sev = aff.dig("database_specific", "severity")
+          return normalize_severity(db_sev) if db_sev
+        end
+
+        nil
+      end
+
+      def normalize_severity(severity)
+        return nil unless severity
+
+        case severity.downcase
+        when "critical" then "critical"
+        when "high" then "high"
+        when "moderate", "medium" then "medium"
+        when "low" then "low"
+        end
+      end
+
+      def severity_from_cvss(vector)
+        return nil unless vector
+        return nil unless vector.include?("CVSS:3")
+
+        metrics = parse_cvss_metrics(vector)
+        return nil if metrics.empty?
+
+        impact_high = %w[C I A].count { |m| metrics[m] == "H" }
+        network_attack = metrics["AV"] == "N"
+        no_privs = metrics["PR"] == "N"
+        no_interaction = metrics["UI"] == "N"
+
+        if impact_high >= 2 && network_attack && no_privs
+          "critical"
+        elsif impact_high >= 1 && network_attack
+          "high"
+        elsif impact_high >= 1 || (network_attack && no_privs && no_interaction)
+          "medium"
+        else
+          "low"
+        end
+      end
+
+      def parse_cvss_metrics(vector)
+        metrics = {}
+        vector.scan(%r{([A-Z]+):([A-Z])}).each do |key, value|
+          metrics[key] = value
+        end
+        metrics
+      end
+    end
+  end
+end

data/lib/brew/vulns.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require_relative "vulns/version"
+require_relative "vulns/osv_client"
+require_relative "vulns/formula"
+require_relative "vulns/vulnerability"
+require_relative "vulns/cli"
+
+module Brew
+  module Vulns
+    class Error < StandardError; end
+  end
+end

data/sig/brew/vulns.rbs

@@ -0,0 +1,6 @@
+module Brew
+  module Vulns
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,60 @@
+--- !ruby/object:Gem::Specification
+name: brew-vulns
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Andrew Nesbitt
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
+description: A Homebrew subcommand that checks installed packages for vulnerabilities
+  via osv.dev
+email:
+- andrewnez@gmail.com
+executables:
+- brew-vulns
+extensions: []
+extra_rdoc_files: []
+files:
+- ".ruby-version"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Formula/brew-vulns.rb
+- LICENSE
+- README.md
+- Rakefile
+- exe/brew-vulns
+- lib/brew/vulns.rb
+- lib/brew/vulns/cli.rb
+- lib/brew/vulns/formula.rb
+- lib/brew/vulns/osv_client.rb
+- lib/brew/vulns/version.rb
+- lib/brew/vulns/vulnerability.rb
+- sig/brew/vulns.rbs
+homepage: https://github.com/andrewnesbitt/brew-vulns
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/andrewnesbitt/brew-vulns
+  source_code_uri: https://github.com/andrewnesbitt/brew-vulns
+  changelog_uri: https://github.com/andrewnesbitt/brew-vulns/blob/main/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.3
+specification_version: 4
+summary: Check Homebrew packages for known vulnerabilities
+test_files: []