git-pkgs 0.6.2 → 0.7.0

data/lib/git/pkgs/models/vulnerability.rb

@@ -0,0 +1,300 @@
+# frozen_string_literal: true
+
+require "time"
+
+module Git
+  module Pkgs
+    module Models
+      class Vulnerability < Sequel::Model
+        one_to_many :vulnerability_packages, key: :vulnerability_id
+
+        dataset_module do
+          def by_severity(severity)
+            where(severity: severity)
+          end
+
+          def critical
+            by_severity("critical")
+          end
+
+          def high
+            by_severity("high")
+          end
+
+          def medium
+            by_severity("medium")
+          end
+
+          def low
+            by_severity("low")
+          end
+
+          def not_withdrawn
+            where(withdrawn_at: nil)
+          end
+
+          def stale(max_age_seconds = 86400)
+            threshold = Time.now - max_age_seconds
+            where { fetched_at < threshold }
+          end
+
+          def fresh(max_age_seconds = 86400)
+            threshold = Time.now - max_age_seconds
+            where { fetched_at >= threshold }
+          end
+        end
+
+        def severity_level
+          case severity&.downcase
+          when "critical" then 4
+          when "high" then 3
+          when "medium" then 2
+          when "low" then 1
+          else 0
+          end
+        end
+
+        def severity_display
+          severity&.upcase || "UNKNOWN"
+        end
+
+        def withdrawn?
+          !withdrawn_at.nil?
+        end
+
+        def aliases_list
+          return [] if aliases.nil? || aliases.empty?
+
+          aliases.split(",").map(&:strip)
+        end
+
+        # Create or update from OSV API response data.
+        # Creates both the Vulnerability record and VulnerabilityPackage records
+        # for each affected package.
+        def self.from_osv(osv_data)
+          vuln_id = osv_data["id"]
+          severity_info = extract_severity(osv_data)
+
+          vuln = update_or_create(
+            { id: vuln_id },
+            {
+              aliases: extract_aliases(osv_data),
+              severity: severity_info[:severity],
+              cvss_score: severity_info[:score],
+              cvss_vector: severity_info[:vector],
+              summary: osv_data["summary"],
+              details: osv_data["details"],
+              published_at: parse_timestamp(osv_data["published"]),
+              modified_at: parse_timestamp(osv_data["modified"]),
+              withdrawn_at: parse_timestamp(osv_data["withdrawn"]),
+              fetched_at: Time.now
+            }
+          )
+
+          # Create VulnerabilityPackage records for each affected package
+          (osv_data["affected"] || []).each do |affected|
+            pkg = affected["package"]
+            next unless pkg
+
+            ecosystem = pkg["ecosystem"]
+            name = pkg["name"]
+
+            affected_range = build_affected_range(affected)
+            fixed = extract_fixed_versions(affected)
+
+            VulnerabilityPackage.update_or_create(
+              { vulnerability_id: vuln_id, ecosystem: ecosystem, package_name: name },
+              {
+                affected_versions: affected_range,
+                fixed_versions: fixed&.join(",")
+              }
+            )
+          end
+
+          vuln
+        end
+
+        def self.extract_aliases(osv_data)
+          aliases = osv_data["aliases"] || []
+          aliases.any? ? aliases.join(",") : nil
+        end
+
+        def self.extract_severity(osv_data)
+          result = { severity: nil, score: nil, vector: nil }
+
+          if osv_data["severity"]&.any?
+            sev = osv_data["severity"].first
+            result[:vector] = sev["score"]
+
+            if sev["score"]&.include?("CVSS")
+              result[:score] = parse_cvss_score(sev["score"])
+              result[:severity] = score_to_severity(result[:score])
+            end
+          end
+
+          # Check root-level database_specific (GHSA format)
+          if osv_data["database_specific"]&.dig("severity")
+            result[:severity] ||= normalize_severity(osv_data["database_specific"]["severity"])
+          end
+
+          # Check affected entries for database_specific severity
+          osv_data["affected"]&.each do |affected|
+            db_specific = affected["database_specific"]
+            if db_specific && db_specific["severity"]
+              result[:severity] ||= normalize_severity(db_specific["severity"])
+            end
+          end
+
+          result
+        end
+
+        def self.normalize_severity(severity)
+          return nil unless severity
+
+          case severity.downcase
+          when "critical" then "critical"
+          when "high" then "high"
+          when "moderate", "medium" then "medium"
+          when "low" then "low"
+          end
+        end
+
+        def self.parse_cvss_score(vector)
+          return nil unless vector
+
+          if vector.match?(/\A\d+(\.\d+)?\z/)
+            return vector.to_f
+          end
+
+          return nil unless vector.include?("CVSS:")
+
+          metrics = parse_cvss_metrics(vector)
+          return nil if metrics.empty?
+
+          estimate_cvss_score(metrics)
+        end
+
+        def self.parse_cvss_metrics(vector)
+          metrics = {}
+          vector.split("/").each do |part|
+            key, value = part.split(":")
+            metrics[key] = value if key && value
+          end
+          metrics
+        end
+
+        def self.estimate_cvss_score(metrics)
+          impact_values = { "N" => 0, "L" => 1, "H" => 2 }
+          c = impact_values[metrics["C"]] || 0
+          i = impact_values[metrics["I"]] || 0
+          a = impact_values[metrics["A"]] || 0
+          max_impact = [c, i, a].max
+
+          ac_easy = metrics["AC"] == "L"
+          av_network = metrics["AV"] == "N"
+          pr_none = metrics["PR"] == "N"
+          ui_none = metrics["UI"] == "N"
+
+          if max_impact == 2 && av_network && ac_easy && pr_none && ui_none
+            9.8
+          elsif max_impact == 2 && av_network && ac_easy
+            8.1
+          elsif max_impact == 2
+            7.0
+          elsif max_impact == 1 && av_network
+            5.3
+          elsif max_impact == 1
+            4.0
+          elsif max_impact == 0
+            0.0
+          else
+            5.0
+          end
+        end
+
+        def self.score_to_severity(score)
+          return nil unless score
+
+          case score
+          when 9.0..10.0 then "critical"
+          when 7.0...9.0 then "high"
+          when 4.0...7.0 then "medium"
+          when 0.0...4.0 then "low"
+          end
+        end
+
+        def self.build_affected_range(affected)
+          return nil unless affected
+
+          ranges = affected["ranges"] || []
+          versions = affected["versions"] || []
+
+          return versions.join(",") if versions.any? && ranges.empty?
+
+          range_parts = ranges.flat_map do |range|
+            events = range["events"] || []
+            build_range_from_events(events)
+          end
+
+          range_parts.compact.join(" || ")
+        end
+
+        def self.build_range_from_events(events)
+          ranges = []
+          current_introduced = nil
+
+          events.each do |event|
+            if event["introduced"]
+              current_introduced = event["introduced"]
+            elsif event["fixed"] && current_introduced
+              if current_introduced == "0"
+                ranges << "<#{event["fixed"]}"
+              else
+                ranges << ">=#{current_introduced} <#{event["fixed"]}"
+              end
+              current_introduced = nil
+            elsif event["last_affected"] && current_introduced
+              if current_introduced == "0"
+                ranges << "<=#{event["last_affected"]}"
+              else
+                ranges << ">=#{current_introduced} <=#{event["last_affected"]}"
+              end
+              current_introduced = nil
+            end
+          end
+
+          if current_introduced
+            ranges << if current_introduced == "0"
+                        ">=0"
+                      else
+                        ">=#{current_introduced}"
+                      end
+          end
+
+          ranges
+        end
+
+        def self.extract_fixed_versions(affected)
+          return nil unless affected
+
+          fixed = []
+          (affected["ranges"] || []).each do |range|
+            (range["events"] || []).each do |event|
+              fixed << event["fixed"] if event["fixed"]
+            end
+          end
+
+          fixed.uniq.empty? ? nil : fixed.uniq
+        end
+
+        def self.parse_timestamp(str)
+          return nil unless str
+
+          Time.parse(str)
+        rescue ArgumentError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/models/vulnerability_package.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "vers"
+
+module Git
+  module Pkgs
+    module Models
+      class VulnerabilityPackage < Sequel::Model
+        many_to_one :vulnerability, key: :vulnerability_id
+
+        dataset_module do
+          def for_package(ecosystem, name)
+            where(ecosystem: ecosystem, package_name: name)
+          end
+        end
+
+        def affects_version?(version)
+          return false if affected_versions.nil? || affected_versions.empty?
+          return false if version.nil? || version.empty?
+
+          # Convert OSV ecosystem to purl type for Vers
+          bib_ecosystem = Ecosystems.from_osv(ecosystem) || ecosystem.downcase
+          purl_type = Ecosystems.to_purl(bib_ecosystem) || bib_ecosystem
+
+          # Handle || separator (OR conditions between different ranges)
+          # Each part separated by || is an independent range (OR)
+          # Within each part, space-separated constraints are AND conditions
+          affected_versions.split(" || ").any? do |range_part|
+            range_matches?(version, range_part, purl_type)
+          end
+        rescue ArgumentError, Vers::Error
+          # If we can't parse the version or range, be conservative and assume affected
+          true
+        end
+
+        def range_matches?(version, range_part, purl_type)
+          # Extract individual constraints (e.g., ">=7.1.0 <7.1.3.1" -> [">=7.1.0", "<7.1.3.1"])
+          constraints = range_part.scan(/[<>=!~^]+[^\s]+/)
+          return false if constraints.empty?
+
+          # All constraints must be satisfied (AND logic)
+          constraints.all? do |constraint|
+            Vers.satisfies?(version, constraint, purl_type)
+          end
+        end
+
+        def fixed_versions_list
+          return [] if fixed_versions.nil? || fixed_versions.empty?
+
+          fixed_versions.split(",").map(&:strip)
+        end
+
+        def purl
+          Models::Package.generate_purl(ecosystem, package_name)
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/osv_client.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "json"
+require "uri"
+
+module Git
+  module Pkgs
+    # Client for the OSV (Open Source Vulnerabilities) API.
+    # https://google.github.io/osv.dev/api/
+    class OsvClient
+      API_BASE = "https://api.osv.dev/v1"
+      BATCH_SIZE = 1000 # Max queries per batch request
+
+      class Error < StandardError; end
+      class ApiError < Error; end
+
+      def initialize
+        @http_clients = {}
+      end
+
+      # Query vulnerabilities for a single package version.
+      #
+      # @param ecosystem [String] OSV ecosystem name (e.g., "RubyGems")
+      # @param name [String] package name
+      # @param version [String] package version
+      # @return [Array<Hash>] array of vulnerability hashes
+      def query(ecosystem:, name:, version:)
+        payload = {
+          package: {
+            name: name,
+            ecosystem: ecosystem
+          },
+          version: version
+        }
+
+        response = post("/query", payload)
+        fetch_all_pages(response, payload)
+      end
+
+      # Batch query vulnerabilities for multiple packages.
+      # More efficient than individual queries for large dependency sets.
+      #
+      # @param packages [Array<Hash>] array of {ecosystem:, name:, version:} hashes
+      # @return [Array<Array<Hash>>] array of vulnerability arrays, one per input package
+      def query_batch(packages)
+        return [] if packages.empty?
+
+        results = Array.new(packages.size) { [] }
+
+        packages.each_slice(BATCH_SIZE).with_index do |batch, batch_idx|
+          queries = batch.map do |pkg|
+            {
+              package: {
+                name: pkg[:name],
+                ecosystem: pkg[:ecosystem]
+              },
+              version: pkg[:version]
+            }
+          end
+
+          response = post("/querybatch", { queries: queries })
+          batch_results = response["results"] || []
+
+          batch_results.each_with_index do |result, idx|
+            global_idx = batch_idx * BATCH_SIZE + idx
+            results[global_idx] = result["vulns"] || []
+          end
+        end
+
+        results
+      end
+
+      # Fetch full details for a specific vulnerability by ID.
+      #
+      # @param vuln_id [String] vulnerability ID (e.g., "CVE-2024-1234", "GHSA-xxxx")
+      # @return [Hash] full vulnerability data
+      def get_vulnerability(vuln_id)
+        get("/vulns/#{URI.encode_uri_component(vuln_id)}")
+      end
+
+      private
+
+      def post(path, payload)
+        uri = URI("#{API_BASE}#{path}")
+        request = Net::HTTP::Post.new(uri)
+        request["Content-Type"] = "application/json"
+        request.body = JSON.generate(payload)
+
+        execute_request(uri, request)
+      end
+
+      def get(path)
+        uri = URI("#{API_BASE}#{path}")
+        request = Net::HTTP::Get.new(uri)
+        request["Content-Type"] = "application/json"
+
+        execute_request(uri, request)
+      end
+
+      def execute_request(uri, request)
+        http = http_client(uri)
+        response = http.request(request)
+
+        case response
+        when Net::HTTPSuccess
+          JSON.parse(response.body)
+        else
+          raise ApiError, "OSV API error: #{response.code} #{response.message}"
+        end
+      rescue JSON::ParserError => e
+        raise ApiError, "Invalid JSON response from OSV API: #{e.message}"
+      rescue Net::OpenTimeout, Net::ReadTimeout => e
+        raise ApiError, "OSV API timeout: #{e.message}"
+      rescue SocketError, Errno::ECONNREFUSED => e
+        raise ApiError, "OSV API connection error: #{e.message}"
+      rescue OpenSSL::SSL::SSLError => e
+        raise ApiError, "OSV API SSL error: #{e.message}"
+      end
+
+      def http_client(uri)
+        key = "#{uri.host}:#{uri.port}"
+        @http_clients[key] ||= begin
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = uri.scheme == "https"
+          http.open_timeout = 10
+          http.read_timeout = 30
+          http
+        end
+      end
+
+      MAX_PAGES = 100
+
+      def fetch_all_pages(response, original_payload)
+        vulns = response["vulns"] || []
+        page_token = response["next_page_token"]
+        pages_fetched = 0
+
+        while page_token && pages_fetched < MAX_PAGES
+          payload = original_payload.merge(page_token: page_token)
+          response = post("/query", payload)
+          vulns.concat(response["vulns"] || [])
+          page_token = response["next_page_token"]
+          pages_fetched += 1
+        end
+
+        vulns
+      end
+    end
+  end
+end

data/lib/git/pkgs/output.rb

@@ -52,6 +52,28 @@ module Git
 
         error "Database not initialized. Run 'git pkgs init' first."
       end
+
+      # Pick best author from commit, preferring humans over bots
+      def best_author(commit)
+        author_name = commit.respond_to?(:author_name) ? commit.author_name : commit[:author_name]
+        message = commit.respond_to?(:message) ? commit.message : commit[:message]
+
+        authors = [author_name] + parse_coauthors(message)
+
+        # Prefer human authors over bots
+        human = authors.find { |a| !bot_author?(a) }
+        human || authors.first
+      end
+
+      def parse_coauthors(message)
+        return [] unless message
+
+        message.scan(/^Co-authored-by:([^<]+)<[^>]+>/i).flatten.map(&:strip)
+      end
+
+      def bot_author?(name)
+        name =~ /\[bot\]$|^dependabot|^renovate|^github-actions/i
+      end
     end
   end
 end

data/lib/git/pkgs/version.rb

@@ -2,6 +2,6 @@
 
 module Git
   module Pkgs
-    VERSION = "0.6.2"
+    VERSION = "0.7.0"
   end
 end

data/lib/git/pkgs.rb

@@ -8,6 +8,8 @@ require_relative "pkgs/cli"
 require_relative "pkgs/database"
 require_relative "pkgs/repository"
 require_relative "pkgs/analyzer"
+require_relative "pkgs/ecosystems"
+require_relative "pkgs/osv_client"
 
 require_relative "pkgs/models/branch"
 require_relative "pkgs/models/branch_commit"
@@ -15,6 +17,9 @@ require_relative "pkgs/models/commit"
 require_relative "pkgs/models/manifest"
 require_relative "pkgs/models/dependency_change"
 require_relative "pkgs/models/dependency_snapshot"
+require_relative "pkgs/models/package"
+require_relative "pkgs/models/vulnerability"
+require_relative "pkgs/models/vulnerability_package"
 
 require_relative "pkgs/commands/init"
 require_relative "pkgs/commands/update"
@@ -37,6 +42,7 @@ require_relative "pkgs/commands/upgrade"
 require_relative "pkgs/commands/schema"
 require_relative "pkgs/commands/diff_driver"
 require_relative "pkgs/commands/completions"
+require_relative "pkgs/commands/vulns"
 
 module Git
   module Pkgs

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: git-pkgs
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.7.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -57,14 +57,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '15.1'
+        version: '15.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '15.1'
+        version: '15.2'
+- !ruby/object:Gem::Dependency
+  name: vers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: purl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: sarif-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A git subcommand for analyzing package/dependency usage in git repositories
   over time
 email:
@@ -74,7 +116,11 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".gitattributes"
+- ".ruby-version"
 - CHANGELOG.md
+- Dockerfile
+- Formula/git-pkgs.rb
 - LICENSE
 - README.md
 - exe/git-pkgs
@@ -101,16 +147,32 @@ files:
 - lib/git/pkgs/commands/tree.rb
 - lib/git/pkgs/commands/update.rb
 - lib/git/pkgs/commands/upgrade.rb
+- lib/git/pkgs/commands/vulns.rb
+- lib/git/pkgs/commands/vulns/base.rb
+- lib/git/pkgs/commands/vulns/blame.rb
+- lib/git/pkgs/commands/vulns/diff.rb
+- lib/git/pkgs/commands/vulns/exposure.rb
+- lib/git/pkgs/commands/vulns/history.rb
+- lib/git/pkgs/commands/vulns/log.rb
+- lib/git/pkgs/commands/vulns/praise.rb
+- lib/git/pkgs/commands/vulns/scan.rb
+- lib/git/pkgs/commands/vulns/show.rb
+- lib/git/pkgs/commands/vulns/sync.rb
 - lib/git/pkgs/commands/where.rb
 - lib/git/pkgs/commands/why.rb
 - lib/git/pkgs/config.rb
 - lib/git/pkgs/database.rb
+- lib/git/pkgs/ecosystems.rb
 - lib/git/pkgs/models/branch.rb
 - lib/git/pkgs/models/branch_commit.rb
 - lib/git/pkgs/models/commit.rb
 - lib/git/pkgs/models/dependency_change.rb
 - lib/git/pkgs/models/dependency_snapshot.rb
 - lib/git/pkgs/models/manifest.rb
+- lib/git/pkgs/models/package.rb
+- lib/git/pkgs/models/vulnerability.rb
+- lib/git/pkgs/models/vulnerability_package.rb
+- lib/git/pkgs/osv_client.rb
 - lib/git/pkgs/output.rb
 - lib/git/pkgs/pager.rb
 - lib/git/pkgs/repository.rb
@@ -137,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.1
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Track package dependencies across git history
 test_files: []