git-pkgs 0.6.2 → 0.7.0

data/lib/git/pkgs/commands/vulns/sync.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    module Commands
+      module Vulns
+        class Sync
+          include Base
+
+        def initialize(args)
+          @args = args.dup
+          @options = parse_options
+        end
+
+        def parse_options
+          options = {}
+
+          parser = OptionParser.new do |opts|
+            opts.banner = "Usage: git pkgs vulns sync [options]"
+            opts.separator ""
+            opts.separator "Sync vulnerability data from OSV."
+            opts.separator ""
+            opts.separator "Options:"
+
+            opts.on("--refresh", "Force refresh even if cache is recent") do
+              options[:refresh] = true
+            end
+
+            opts.on("-h", "--help", "Show this help") do
+              puts opts
+              exit
+            end
+          end
+
+          parser.parse!(@args)
+          options
+        end
+
+        def run
+          repo = Repository.new
+
+          unless Database.exists?(repo.git_dir)
+            error "No database found. Run 'git pkgs init' first."
+          end
+
+          Database.connect(repo.git_dir)
+
+          packages = Models::Package.all
+          if packages.empty?
+            info "No packages to sync. Run 'git pkgs vulns' first to populate packages."
+            return
+          end
+
+          stale_packages = packages.select(&:needs_vuln_sync?)
+
+          if stale_packages.empty? && !@options[:refresh]
+            info "All packages up to date. Use --refresh to force update."
+            return
+          end
+
+          packages_to_sync = @options[:refresh] ? packages : stale_packages
+
+          info "Syncing vulnerabilities for #{packages_to_sync.count} packages..."
+
+          client = OsvClient.new
+          synced = 0
+          vuln_count = 0
+
+          packages_to_sync.each_slice(100) do |batch|
+            queries = batch.map do |pkg|
+              osv_ecosystem = Ecosystems.to_osv(pkg.ecosystem)
+              next unless osv_ecosystem
+
+              { ecosystem: osv_ecosystem, name: pkg.name }
+            end.compact
+
+            results = client.query_batch(queries)
+
+            # Collect all unique vuln IDs from this batch to fetch full details
+            vuln_ids = results.flatten.map { |v| v["id"] }.uniq
+
+            # Fetch full vulnerability details and create records
+            vuln_ids.each do |vuln_id|
+              existing = Models::Vulnerability.first(id: vuln_id)
+              next if existing&.vulnerability_packages&.any? && !@options[:refresh]
+
+              begin
+                full_vuln = client.get_vulnerability(vuln_id)
+                Models::Vulnerability.from_osv(full_vuln)
+                vuln_count += 1
+              rescue OsvClient::ApiError
+                # Skip vulnerabilities we can't fetch
+              end
+            end
+
+            batch.each do |pkg|
+              pkg.mark_vulns_synced
+              synced += 1
+            end
+          end
+
+          info "Synced #{synced} packages, found #{vuln_count} vulnerability records."
+        end
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/commands/vulns.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require_relative "vulns/base"
+require_relative "vulns/scan"
+require_relative "vulns/sync"
+require_relative "vulns/blame"
+require_relative "vulns/praise"
+require_relative "vulns/exposure"
+require_relative "vulns/diff"
+require_relative "vulns/log"
+require_relative "vulns/history"
+require_relative "vulns/show"
+
+module Git
+  module Pkgs
+    module Commands
+      class VulnsCommand
+        SUBCOMMANDS = %w[sync blame praise exposure diff log history show].freeze
+
+        def initialize(args)
+          @args = args.dup
+          @subcommand = detect_subcommand
+        end
+
+        def detect_subcommand
+          return nil if @args.empty?
+          return nil unless SUBCOMMANDS.include?(@args.first)
+
+          @args.shift
+        end
+
+        def run
+          handler_class = case @subcommand
+                          when "sync" then Vulns::Sync
+                          when "blame" then Vulns::Blame
+                          when "praise" then Vulns::Praise
+                          when "exposure" then Vulns::Exposure
+                          when "diff" then Vulns::Diff
+                          when "log" then Vulns::Log
+                          when "history" then Vulns::History
+                          when "show" then Vulns::Show
+                          else Vulns::Scan
+                          end
+
+          handler_class.new(@args).run
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/config.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "bibliothecary"
+require "open3"
 
 module Git
   module Pkgs
@@ -52,7 +53,13 @@ module Git
       end
 
       def self.read_config_list(key)
-        `git config --get-all #{key} 2>/dev/null`.split("\n").map(&:strip).reject(&:empty?)
+        args = if Git::Pkgs.work_tree
+                 ["git", "-C", Git::Pkgs.work_tree.to_s, "config", "--get-all", key.to_s]
+               else
+                 ["git", "config", "--get-all", key.to_s]
+               end
+        stdout, _stderr, _status = Open3.capture3(*args)
+        stdout.split("\n").map(&:strip).reject(&:empty?)
       end
     end
   end

data/lib/git/pkgs/database.rb

@@ -15,7 +15,7 @@ module Git
   module Pkgs
     class Database
       DB_FILE = "pkgs.sqlite3"
-      SCHEMA_VERSION = 1
+      SCHEMA_VERSION = 2
 
       class << self
         attr_accessor :db
@@ -82,7 +82,10 @@ module Git
           Git::Pkgs::Models::Commit,
           Git::Pkgs::Models::Manifest,
           Git::Pkgs::Models::DependencyChange,
-          Git::Pkgs::Models::DependencySnapshot
+          Git::Pkgs::Models::DependencySnapshot,
+          Git::Pkgs::Models::Package,
+          Git::Pkgs::Models::Vulnerability,
+          Git::Pkgs::Models::VulnerabilityPackage
         ].each do |model|
           model.dataset = @db[model.table_name]
           # Clear all cached association data that may reference old db
@@ -157,6 +160,7 @@ module Git
           foreign_key :manifest_id, :manifests
           String :name, null: false
           String :ecosystem
+          String :purl
           String :change_type, null: false
           String :requirement
           String :previous_requirement
@@ -171,12 +175,63 @@ module Git
           foreign_key :manifest_id, :manifests
           String :name, null: false
           String :ecosystem
+          String :purl
           String :requirement
           String :dependency_type
           DateTime :created_at
           DateTime :updated_at
         end
 
+        @db.create_table?(:packages) do
+          primary_key :id
+          String :purl, null: false
+          String :ecosystem, null: false
+          String :name, null: false
+          String :latest_version
+          String :license
+          String :description, text: true
+          String :homepage
+          String :repository_url
+          String :source
+          DateTime :enriched_at
+          DateTime :vulns_synced_at
+          DateTime :created_at
+          DateTime :updated_at
+          index :purl, unique: true
+          index [:ecosystem, :name]
+        end
+
+        # Core vulnerability data (one row per CVE/GHSA)
+        @db.create_table?(:vulnerabilities) do
+          String :id, primary_key: true          # CVE-2024-1234, GHSA-xxxx, etc.
+          String :aliases, text: true            # comma-separated other IDs for same vuln
+          String :severity                       # critical, high, medium, low
+          Float :cvss_score
+          String :cvss_vector
+          String :references, text: true         # JSON array of {type, url} objects
+          String :summary, text: true
+          String :details, text: true
+          DateTime :published_at                 # when vuln was disclosed
+          DateTime :withdrawn_at                 # when vuln was retracted (if ever)
+          DateTime :modified_at                  # when OSV record was last modified
+          DateTime :fetched_at, null: false      # when we last fetched from OSV
+        end
+
+        # Which packages are affected by each vulnerability
+        # One vuln can affect multiple packages, each with different version ranges
+        @db.create_table?(:vulnerability_packages) do
+          primary_key :id
+          String :vulnerability_id, null: false
+          String :ecosystem, null: false         # OSV ecosystem name
+          String :package_name, null: false
+          String :affected_versions, text: true  # version range expression
+          String :fixed_versions, text: true     # comma-separated list
+          foreign_key [:vulnerability_id], :vulnerabilities
+          index [:ecosystem, :package_name]
+          index [:vulnerability_id]
+          unique [:vulnerability_id, :ecosystem, :package_name]
+        end
+
         set_version
         create_bulk_indexes if with_indexes
         refresh_models
@@ -186,6 +241,7 @@ module Git
         @db.alter_table(:dependency_changes) do
           add_index :name, if_not_exists: true
           add_index :ecosystem, if_not_exists: true
+          add_index :purl, if_not_exists: true
           add_index [:commit_id, :name], if_not_exists: true
         end
 
@@ -193,6 +249,7 @@ module Git
           add_index [:commit_id, :manifest_id, :name], unique: true, name: "idx_snapshots_unique", if_not_exists: true
           add_index :name, if_not_exists: true
           add_index :ecosystem, if_not_exists: true
+          add_index :purl, if_not_exists: true
         end
       end
 
@@ -218,10 +275,83 @@ module Git
       def self.check_version!
         return unless needs_upgrade?
 
+        migrate!
+      end
+
+      def self.migrate!
         stored = stored_version || 0
-        $stderr.puts "Database schema is outdated (version #{stored}, current is #{SCHEMA_VERSION})."
-        $stderr.puts "Run 'git pkgs upgrade' to update."
-        exit 1
+
+        # Migration from v1 to v2: add vuln tables
+        if stored < 2
+          migrate_to_v2!
+        end
+
+        set_version
+        refresh_models
+      end
+
+      def self.migrate_to_v2!
+        @db.create_table?(:packages) do
+          primary_key :id
+          String :purl, null: false
+          String :ecosystem, null: false
+          String :name, null: false
+          String :latest_version
+          String :license
+          String :description, text: true
+          String :homepage
+          String :repository_url
+          String :source
+          DateTime :enriched_at
+          DateTime :vulns_synced_at
+          DateTime :created_at
+          DateTime :updated_at
+          index :purl, unique: true
+          index [:ecosystem, :name]
+        end
+
+        @db.create_table?(:vulnerabilities) do
+          String :id, primary_key: true
+          String :aliases, text: true
+          String :severity
+          Float :cvss_score
+          String :cvss_vector
+          String :references, text: true
+          String :summary, text: true
+          String :details, text: true
+          DateTime :published_at
+          DateTime :withdrawn_at
+          DateTime :modified_at
+          DateTime :fetched_at, null: false
+        end
+
+        @db.create_table?(:vulnerability_packages) do
+          primary_key :id
+          String :vulnerability_id, null: false
+          String :ecosystem, null: false
+          String :package_name, null: false
+          String :affected_versions, text: true
+          String :fixed_versions, text: true
+          foreign_key [:vulnerability_id], :vulnerabilities
+          index [:ecosystem, :package_name]
+          index [:vulnerability_id]
+          unique [:vulnerability_id, :ecosystem, :package_name]
+        end
+
+        # Add purl column to existing tables if missing
+        unless @db.schema(:dependency_changes).any? { |col, _| col == :purl }
+          @db.alter_table(:dependency_changes) do
+            add_column :purl, String
+            add_index :purl, if_not_exists: true
+          end
+        end
+
+        unless @db.schema(:dependency_snapshots).any? { |col, _| col == :purl }
+          @db.alter_table(:dependency_snapshots) do
+            add_column :purl, String
+            add_index :purl, if_not_exists: true
+          end
+        end
       end
 
       def self.optimize_for_bulk_writes

data/lib/git/pkgs/ecosystems.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    # Maps ecosystem names between bibliothecary, purl, and OSV formats.
+    # Bibliothecary uses lowercase names internally.
+    # Purl uses its own type names.
+    # OSV uses mixed case names that differ from both.
+    module Ecosystems
+      # Mapping from bibliothecary ecosystem names to OSV and purl equivalents
+      MAPPINGS = {
+        "npm" => { osv: "npm", purl: "npm" },
+        "rubygems" => { osv: "RubyGems", purl: "gem" },
+        "pypi" => { osv: "PyPI", purl: "pypi" },
+        "cargo" => { osv: "crates.io", purl: "cargo" },
+        "maven" => { osv: "Maven", purl: "maven" },
+        "nuget" => { osv: "NuGet", purl: "nuget" },
+        "packagist" => { osv: "Packagist", purl: "composer" },
+        "go" => { osv: "Go", purl: "golang" },
+        "hex" => { osv: "Hex", purl: "hex" },
+        "pub" => { osv: "Pub", purl: "pub" }
+      }.freeze
+
+      # Reverse mappings for lookups from OSV/purl to bibliothecary
+      OSV_TO_BIBLIOTHECARY = MAPPINGS.transform_values { |v| v[:osv] }.invert.freeze
+      PURL_TO_BIBLIOTHECARY = MAPPINGS.transform_values { |v| v[:purl] }.invert.freeze
+
+      class << self
+        # Convert bibliothecary ecosystem name to OSV format
+        # @param ecosystem [String] bibliothecary ecosystem name (e.g., "rubygems")
+        # @return [String, nil] OSV ecosystem name (e.g., "RubyGems") or nil if not mapped
+        def to_osv(ecosystem)
+          MAPPINGS.dig(ecosystem.to_s.downcase, :osv)
+        end
+
+        # Convert bibliothecary ecosystem name to purl type
+        # @param ecosystem [String] bibliothecary ecosystem name (e.g., "rubygems")
+        # @return [String, nil] purl type (e.g., "gem") or nil if not mapped
+        def to_purl(ecosystem)
+          MAPPINGS.dig(ecosystem.to_s.downcase, :purl)
+        end
+
+        # Convert OSV ecosystem name to bibliothecary format
+        # @param osv_ecosystem [String] OSV ecosystem name (e.g., "RubyGems")
+        # @return [String, nil] bibliothecary ecosystem name (e.g., "rubygems") or nil if not mapped
+        def from_osv(osv_ecosystem)
+          OSV_TO_BIBLIOTHECARY[osv_ecosystem]
+        end
+
+        # Convert purl type to bibliothecary ecosystem name
+        # @param purl_type [String] purl type (e.g., "gem")
+        # @return [String, nil] bibliothecary ecosystem name (e.g., "rubygems") or nil if not mapped
+        def from_purl(purl_type)
+          PURL_TO_BIBLIOTHECARY[purl_type]
+        end
+
+        # Check if an ecosystem is supported for vulnerability scanning
+        # @param ecosystem [String] bibliothecary ecosystem name
+        # @return [Boolean]
+        def supported?(ecosystem)
+          MAPPINGS.key?(ecosystem.to_s.downcase)
+        end
+
+        # List all supported bibliothecary ecosystem names
+        # @return [Array<String>]
+        def supported_ecosystems
+          MAPPINGS.keys
+        end
+
+        # Generate a purl (package URL) for a given ecosystem and package name
+        # @param ecosystem [String] bibliothecary ecosystem name (e.g., "rubygems")
+        # @param name [String] package name
+        # @return [String, nil] purl string (e.g., "pkg:gem/rails") or nil if ecosystem not supported
+        def generate_purl(ecosystem, name)
+          purl_type = to_purl(ecosystem)
+          return nil unless purl_type
+
+          "pkg:#{purl_type}/#{name}"
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/models/package.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    module Models
+      class Package < Sequel::Model
+        STALE_THRESHOLD = 86400 # 24 hours
+
+        dataset_module do
+          def by_ecosystem(ecosystem)
+            where(ecosystem: ecosystem)
+          end
+
+          def needs_vuln_sync
+            where(vulns_synced_at: nil).or { vulns_synced_at < Time.now - STALE_THRESHOLD }
+          end
+
+          def synced
+            where { vulns_synced_at >= Time.now - STALE_THRESHOLD }
+          end
+        end
+
+        def needs_vuln_sync?
+          vulns_synced_at.nil? || vulns_synced_at < Time.now - STALE_THRESHOLD
+        end
+
+        def mark_vulns_synced
+          update(vulns_synced_at: Time.now)
+        end
+
+        def vulnerabilities
+          osv_ecosystem = Ecosystems.to_osv(ecosystem)
+          return [] unless osv_ecosystem
+
+          VulnerabilityPackage
+            .where(ecosystem: osv_ecosystem, package_name: name)
+            .map(&:vulnerability)
+            .compact
+        end
+
+        def self.find_or_create_by_purl(purl:, ecosystem: nil, name: nil)
+          existing = first(purl: purl)
+          return existing if existing
+
+          create(purl: purl, ecosystem: ecosystem, name: name)
+        end
+
+        def self.generate_purl(ecosystem, name)
+          Ecosystems.generate_purl(ecosystem, name)
+        end
+      end
+    end
+  end
+end