git-pkgs 0.6.2 → 0.8.0

data/lib/git/pkgs/models/version.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    module Models
+      class Version < Sequel::Model
+        many_to_one :package, key: :package_purl, primary_key: :purl
+
+        def parsed_purl
+          @parsed_purl ||= Purl.parse(purl)
+        end
+
+        def version_string
+          parsed_purl.version
+        end
+
+        def registry_url
+          parsed_purl.registry_url
+        end
+
+        def enriched?
+          !enriched_at.nil?
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/models/vulnerability.rb

@@ -0,0 +1,300 @@
+# frozen_string_literal: true
+
+require "time"
+
+module Git
+  module Pkgs
+    module Models
+      class Vulnerability < Sequel::Model
+        one_to_many :vulnerability_packages, key: :vulnerability_id
+
+        dataset_module do
+          def by_severity(severity)
+            where(severity: severity)
+          end
+
+          def critical
+            by_severity("critical")
+          end
+
+          def high
+            by_severity("high")
+          end
+
+          def medium
+            by_severity("medium")
+          end
+
+          def low
+            by_severity("low")
+          end
+
+          def not_withdrawn
+            where(withdrawn_at: nil)
+          end
+
+          def stale(max_age_seconds = 86400)
+            threshold = Time.now - max_age_seconds
+            where { fetched_at < threshold }
+          end
+
+          def fresh(max_age_seconds = 86400)
+            threshold = Time.now - max_age_seconds
+            where { fetched_at >= threshold }
+          end
+        end
+
+        def severity_level
+          case severity&.downcase
+          when "critical" then 4
+          when "high" then 3
+          when "medium" then 2
+          when "low" then 1
+          else 0
+          end
+        end
+
+        def severity_display
+          severity&.upcase || "UNKNOWN"
+        end
+
+        def withdrawn?
+          !withdrawn_at.nil?
+        end
+
+        def aliases_list
+          return [] if aliases.nil? || aliases.empty?
+
+          aliases.split(",").map(&:strip)
+        end
+
+        # Create or update from OSV API response data.
+        # Creates both the Vulnerability record and VulnerabilityPackage records
+        # for each affected package.
+        def self.from_osv(osv_data)
+          vuln_id = osv_data["id"]
+          severity_info = extract_severity(osv_data)
+
+          vuln = update_or_create(
+            { id: vuln_id },
+            {
+              aliases: extract_aliases(osv_data),
+              severity: severity_info[:severity],
+              cvss_score: severity_info[:score],
+              cvss_vector: severity_info[:vector],
+              summary: osv_data["summary"],
+              details: osv_data["details"],
+              published_at: parse_timestamp(osv_data["published"]),
+              modified_at: parse_timestamp(osv_data["modified"]),
+              withdrawn_at: parse_timestamp(osv_data["withdrawn"]),
+              fetched_at: Time.now
+            }
+          )
+
+          # Create VulnerabilityPackage records for each affected package
+          (osv_data["affected"] || []).each do |affected|
+            pkg = affected["package"]
+            next unless pkg
+
+            ecosystem = pkg["ecosystem"]
+            name = pkg["name"]
+
+            affected_range = build_affected_range(affected)
+            fixed = extract_fixed_versions(affected)
+
+            VulnerabilityPackage.update_or_create(
+              { vulnerability_id: vuln_id, ecosystem: ecosystem, package_name: name },
+              {
+                affected_versions: affected_range,
+                fixed_versions: fixed&.join(",")
+              }
+            )
+          end
+
+          vuln
+        end
+
+        def self.extract_aliases(osv_data)
+          aliases = osv_data["aliases"] || []
+          aliases.any? ? aliases.join(",") : nil
+        end
+
+        def self.extract_severity(osv_data)
+          result = { severity: nil, score: nil, vector: nil }
+
+          if osv_data["severity"]&.any?
+            sev = osv_data["severity"].first
+            result[:vector] = sev["score"]
+
+            if sev["score"]&.include?("CVSS")
+              result[:score] = parse_cvss_score(sev["score"])
+              result[:severity] = score_to_severity(result[:score])
+            end
+          end
+
+          # Check root-level database_specific (GHSA format)
+          if osv_data["database_specific"]&.dig("severity")
+            result[:severity] ||= normalize_severity(osv_data["database_specific"]["severity"])
+          end
+
+          # Check affected entries for database_specific severity
+          osv_data["affected"]&.each do |affected|
+            db_specific = affected["database_specific"]
+            if db_specific && db_specific["severity"]
+              result[:severity] ||= normalize_severity(db_specific["severity"])
+            end
+          end
+
+          result
+        end
+
+        def self.normalize_severity(severity)
+          return nil unless severity
+
+          case severity.downcase
+          when "critical" then "critical"
+          when "high" then "high"
+          when "moderate", "medium" then "medium"
+          when "low" then "low"
+          end
+        end
+
+        def self.parse_cvss_score(vector)
+          return nil unless vector
+
+          if vector.match?(/\A\d+(\.\d+)?\z/)
+            return vector.to_f
+          end
+
+          return nil unless vector.include?("CVSS:")
+
+          metrics = parse_cvss_metrics(vector)
+          return nil if metrics.empty?
+
+          estimate_cvss_score(metrics)
+        end
+
+        def self.parse_cvss_metrics(vector)
+          metrics = {}
+          vector.split("/").each do |part|
+            key, value = part.split(":")
+            metrics[key] = value if key && value
+          end
+          metrics
+        end
+
+        def self.estimate_cvss_score(metrics)
+          impact_values = { "N" => 0, "L" => 1, "H" => 2 }
+          c = impact_values[metrics["C"]] || 0
+          i = impact_values[metrics["I"]] || 0
+          a = impact_values[metrics["A"]] || 0
+          max_impact = [c, i, a].max
+
+          ac_easy = metrics["AC"] == "L"
+          av_network = metrics["AV"] == "N"
+          pr_none = metrics["PR"] == "N"
+          ui_none = metrics["UI"] == "N"
+
+          if max_impact == 2 && av_network && ac_easy && pr_none && ui_none
+            9.8
+          elsif max_impact == 2 && av_network && ac_easy
+            8.1
+          elsif max_impact == 2
+            7.0
+          elsif max_impact == 1 && av_network
+            5.3
+          elsif max_impact == 1
+            4.0
+          elsif max_impact == 0
+            0.0
+          else
+            5.0
+          end
+        end
+
+        def self.score_to_severity(score)
+          return nil unless score
+
+          case score
+          when 9.0..10.0 then "critical"
+          when 7.0...9.0 then "high"
+          when 4.0...7.0 then "medium"
+          when 0.0...4.0 then "low"
+          end
+        end
+
+        def self.build_affected_range(affected)
+          return nil unless affected
+
+          ranges = affected["ranges"] || []
+          versions = affected["versions"] || []
+
+          return versions.join(",") if versions.any? && ranges.empty?
+
+          range_parts = ranges.flat_map do |range|
+            events = range["events"] || []
+            build_range_from_events(events)
+          end
+
+          range_parts.compact.join(" || ")
+        end
+
+        def self.build_range_from_events(events)
+          ranges = []
+          current_introduced = nil
+
+          events.each do |event|
+            if event["introduced"]
+              current_introduced = event["introduced"]
+            elsif event["fixed"] && current_introduced
+              if current_introduced == "0"
+                ranges << "<#{event["fixed"]}"
+              else
+                ranges << ">=#{current_introduced} <#{event["fixed"]}"
+              end
+              current_introduced = nil
+            elsif event["last_affected"] && current_introduced
+              if current_introduced == "0"
+                ranges << "<=#{event["last_affected"]}"
+              else
+                ranges << ">=#{current_introduced} <=#{event["last_affected"]}"
+              end
+              current_introduced = nil
+            end
+          end
+
+          if current_introduced
+            ranges << if current_introduced == "0"
+                        ">=0"
+                      else
+                        ">=#{current_introduced}"
+                      end
+          end
+
+          ranges
+        end
+
+        def self.extract_fixed_versions(affected)
+          return nil unless affected
+
+          fixed = []
+          (affected["ranges"] || []).each do |range|
+            (range["events"] || []).each do |event|
+              fixed << event["fixed"] if event["fixed"]
+            end
+          end
+
+          fixed.uniq.empty? ? nil : fixed.uniq
+        end
+
+        def self.parse_timestamp(str)
+          return nil unless str
+
+          Time.parse(str)
+        rescue ArgumentError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/models/vulnerability_package.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "vers"
+
+module Git
+  module Pkgs
+    module Models
+      class VulnerabilityPackage < Sequel::Model
+        many_to_one :vulnerability, key: :vulnerability_id
+
+        dataset_module do
+          def for_package(ecosystem, name)
+            where(ecosystem: ecosystem, package_name: name)
+          end
+        end
+
+        def affects_version?(version)
+          return false if affected_versions.nil? || affected_versions.empty?
+          return false if version.nil? || version.empty?
+
+          # Convert OSV ecosystem to purl type for Vers
+          bib_ecosystem = Ecosystems.from_osv(ecosystem) || ecosystem.downcase
+          purl_type = Ecosystems.to_purl(bib_ecosystem) || bib_ecosystem
+
+          # Handle || separator (OR conditions between different ranges)
+          # Each part separated by || is an independent range (OR)
+          # Within each part, space-separated constraints are AND conditions
+          affected_versions.split(" || ").any? do |range_part|
+            range_matches?(version, range_part, purl_type)
+          end
+        rescue ArgumentError, Vers::Error
+          # If we can't parse the version or range, be conservative and assume affected
+          true
+        end
+
+        def range_matches?(version, range_part, purl_type)
+          # Extract individual constraints (e.g., ">=7.1.0 <7.1.3.1" -> [">=7.1.0", "<7.1.3.1"])
+          constraints = range_part.scan(/[<>=!~^]+[^\s]+/)
+          return false if constraints.empty?
+
+          # All constraints must be satisfied (AND logic)
+          constraints.all? do |constraint|
+            Vers.satisfies?(version, constraint, purl_type)
+          end
+        end
+
+        def fixed_versions_list
+          return [] if fixed_versions.nil? || fixed_versions.empty?
+
+          fixed_versions.split(",").map(&:strip)
+        end
+
+        def purl
+          Models::Package.generate_purl(ecosystem, package_name)
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/osv_client.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "json"
+require "uri"
+
+module Git
+  module Pkgs
+    # Client for the OSV (Open Source Vulnerabilities) API.
+    # https://google.github.io/osv.dev/api/
+    class OsvClient
+      API_BASE = "https://api.osv.dev/v1"
+      BATCH_SIZE = 1000 # Max queries per batch request
+
+      class Error < StandardError; end
+      class ApiError < Error; end
+
+      def initialize
+        @http_clients = {}
+      end
+
+      # Query vulnerabilities for a single package version.
+      #
+      # @param ecosystem [String] OSV ecosystem name (e.g., "RubyGems")
+      # @param name [String] package name
+      # @param version [String] package version
+      # @return [Array<Hash>] array of vulnerability hashes
+      def query(ecosystem:, name:, version:)
+        payload = {
+          package: {
+            name: name,
+            ecosystem: ecosystem
+          },
+          version: version
+        }
+
+        response = post("/query", payload)
+        fetch_all_pages(response, payload)
+      end
+
+      # Batch query vulnerabilities for multiple packages.
+      # More efficient than individual queries for large dependency sets.
+      #
+      # @param packages [Array<Hash>] array of {ecosystem:, name:, version:} hashes
+      # @return [Array<Array<Hash>>] array of vulnerability arrays, one per input package
+      def query_batch(packages)
+        return [] if packages.empty?
+
+        results = Array.new(packages.size) { [] }
+
+        packages.each_slice(BATCH_SIZE).with_index do |batch, batch_idx|
+          queries = batch.map do |pkg|
+            {
+              package: {
+                name: pkg[:name],
+                ecosystem: pkg[:ecosystem]
+              },
+              version: pkg[:version]
+            }
+          end
+
+          response = post("/querybatch", { queries: queries })
+          batch_results = response["results"] || []
+
+          batch_results.each_with_index do |result, idx|
+            global_idx = batch_idx * BATCH_SIZE + idx
+            results[global_idx] = result["vulns"] || []
+          end
+        end
+
+        results
+      end
+
+      # Fetch full details for a specific vulnerability by ID.
+      #
+      # @param vuln_id [String] vulnerability ID (e.g., "CVE-2024-1234", "GHSA-xxxx")
+      # @return [Hash] full vulnerability data
+      def get_vulnerability(vuln_id)
+        get("/vulns/#{URI.encode_uri_component(vuln_id)}")
+      end
+
+      private
+
+      def post(path, payload)
+        uri = URI("#{API_BASE}#{path}")
+        request = Net::HTTP::Post.new(uri)
+        request["Content-Type"] = "application/json"
+        request.body = JSON.generate(payload)
+
+        execute_request(uri, request)
+      end
+
+      def get(path)
+        uri = URI("#{API_BASE}#{path}")
+        request = Net::HTTP::Get.new(uri)
+        request["Content-Type"] = "application/json"
+
+        execute_request(uri, request)
+      end
+
+      def execute_request(uri, request)
+        http = http_client(uri)
+        response = http.request(request)
+
+        case response
+        when Net::HTTPSuccess
+          JSON.parse(response.body)
+        else
+          raise ApiError, "OSV API error: #{response.code} #{response.message}"
+        end
+      rescue JSON::ParserError => e
+        raise ApiError, "Invalid JSON response from OSV API: #{e.message}"
+      rescue Net::OpenTimeout, Net::ReadTimeout => e
+        raise ApiError, "OSV API timeout: #{e.message}"
+      rescue SocketError, Errno::ECONNREFUSED => e
+        raise ApiError, "OSV API connection error: #{e.message}"
+      rescue OpenSSL::SSL::SSLError => e
+        raise ApiError, "OSV API SSL error: #{e.message}"
+      end
+
+      def http_client(uri)
+        key = "#{uri.host}:#{uri.port}"
+        @http_clients[key] ||= begin
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = uri.scheme == "https"
+          http.open_timeout = 10
+          http.read_timeout = 30
+          http
+        end
+      end
+
+      MAX_PAGES = 100
+
+      def fetch_all_pages(response, original_payload)
+        vulns = response["vulns"] || []
+        page_token = response["next_page_token"]
+        pages_fetched = 0
+
+        while page_token && pages_fetched < MAX_PAGES
+          payload = original_payload.merge(page_token: page_token)
+          response = post("/query", payload)
+          vulns.concat(response["vulns"] || [])
+          page_token = response["next_page_token"]
+          pages_fetched += 1
+        end
+
+        vulns
+      end
+    end
+  end
+end

data/lib/git/pkgs/output.rb

@@ -52,6 +52,28 @@ module Git
 
         error "Database not initialized. Run 'git pkgs init' first."
       end
+
+      # Pick best author from commit, preferring humans over bots
+      def best_author(commit)
+        author_name = commit.respond_to?(:author_name) ? commit.author_name : commit[:author_name]
+        message = commit.respond_to?(:message) ? commit.message : commit[:message]
+
+        authors = [author_name] + parse_coauthors(message)
+
+        # Prefer human authors over bots
+        human = authors.find { |a| !bot_author?(a) }
+        human || authors.first
+      end
+
+      def parse_coauthors(message)
+        return [] unless message
+
+        message.scan(/^Co-authored-by:([^<]+)<[^>]+>/i).flatten.map(&:strip)
+      end
+
+      def bot_author?(name)
+        name =~ /\[bot\]$|^dependabot|^renovate|^github-actions/i
+      end
     end
   end
 end

data/lib/git/pkgs/purl_helper.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require "purl"
+
+module Git
+  module Pkgs
+    module PurlHelper
+      # Mapping from Bibliothecary/ecosyste.ms ecosystem names to PURL types
+      # Source: https://packages.ecosyste.ms/api/v1/registries/
+      ECOSYSTEM_TO_PURL_TYPE = {
+        "npm" => "npm",
+        "go" => "golang",
+        "docker" => "docker",
+        "pypi" => "pypi",
+        "nuget" => "nuget",
+        "maven" => "maven",
+        "packagist" => "composer",
+        "cargo" => "cargo",
+        "rubygems" => "gem",
+        "cocoapods" => "cocoapods",
+        "pub" => "pub",
+        "bower" => "bower",
+        "cpan" => "cpan",
+        "alpine" => "alpine",
+        "actions" => "githubactions",
+        "cran" => "cran",
+        "clojars" => "clojars",
+        "conda" => "conda",
+        "hex" => "hex",
+        "hackage" => "hackage",
+        "julia" => "julia",
+        "swiftpm" => "swift",
+        "openvsx" => "openvsx",
+        "spack" => "spack",
+        "homebrew" => "brew",
+        "puppet" => "puppet",
+        "deno" => "deno",
+        "elm" => "elm",
+        "vcpkg" => "vcpkg",
+        "racket" => "racket",
+        "bioconductor" => "bioconductor",
+        "carthage" => "carthage",
+        "elpa" => "melpa"
+      }.freeze
+
+      def self.purl_type_for(ecosystem)
+        ECOSYSTEM_TO_PURL_TYPE.fetch(ecosystem, ecosystem)
+      end
+
+      def self.build_purl(ecosystem:, name:, version: nil)
+        type = purl_type_for(ecosystem)
+        Purl::PackageURL.new(type: type, name: name, version: version)
+      end
+    end
+  end
+end

data/lib/git/pkgs/spinner.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    class Spinner
+      FRAMES = %w[⠋ ⠙ ⠹ ⠸ ⠼ ⠴ ⠦ ⠧ ⠇ ⠏].freeze
+      INTERVAL = 0.08
+
+      def initialize(message)
+        @message = message
+        @running = false
+        @thread = nil
+      end
+
+      def start
+        return unless $stdout.tty? && !Git::Pkgs.quiet
+
+        @running = true
+        @frame_index = 0
+        @thread = Thread.new do
+          while @running
+            print "\r#{FRAMES[@frame_index]} #{@message}"
+            @frame_index = (@frame_index + 1) % FRAMES.length
+            sleep INTERVAL
+          end
+        end
+      end
+
+      def stop
+        return unless @thread
+
+        @running = false
+        @thread.join
+        print "\r#{" " * (@message.length + 3)}\r"
+      end
+
+      def self.with_spinner(message)
+        spinner = new(message)
+        spinner.start
+        yield
+      ensure
+        spinner.stop
+      end
+    end
+  end
+end

data/lib/git/pkgs/version.rb

@@ -2,6 +2,6 @@
 
 module Git
   module Pkgs
-    VERSION = "0.6.2"
+    VERSION = "0.8.0"
   end
 end