@renovatebot/osv-offline-db 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,7 +1,7 @@
1
1
  # osv-offline-db
2
2
 
3
3
  [![Package version](https://img.shields.io/npm/v/@renovatebot/osv-offline-db?style=for-the-badge)](https://www.npmjs.com/package/@renovatebot/osv-offline-db)
4
- [![Build status](https://img.shields.io/github/workflow/status/jamiemagee/osv-offline/Build?style=for-the-badge)](https://github.com/jamiemagee/osv-offline/actions/workflows/build.yml)
4
+ [![Build status](https://img.shields.io/github/actions/workflow/status/renovatebot/osv-offline/build.yml?branch=main&style=for-the-badge)](https://github.com/renovatebot/osv-offline/actions/workflows/build.yml)
5
5
  [![MIT license](https://img.shields.io/badge/license-MIT-blue?style=for-the-badge)](./LICENSE)
6
6
  ![Stability experimental](https://img.shields.io/badge/stability-experimental-orange.svg?style=for-the-badge)
7
7
 
package/dist/lib/db.js CHANGED
@@ -8,6 +8,7 @@ const os_1 = require("os");
8
8
  const path_1 = __importDefault(require("path"));
9
9
  const nedb_1 = __importDefault(require("@seald-io/nedb"));
10
10
  const ecosystem_1 = require("./ecosystem");
11
+ const purl_helper_1 = require("./purl-helper");
11
12
  class OsvOfflineDb {
12
13
  // eslint-disable-next-line @typescript-eslint/no-empty-function
13
14
  constructor() {
@@ -33,7 +34,7 @@ class OsvOfflineDb {
33
34
  package: {
34
35
  name: packageName,
35
36
  ecosystem,
36
- purl: `pkg:${ecosystem.toLowerCase()}/${packageName}`,
37
+ purl: (0, purl_helper_1.packageToPurl)(ecosystem, packageName),
37
38
  },
38
39
  },
39
40
  },
@@ -1,5 +1,2 @@
1
- /**
2
- * https://github.com/google/osv/blob/b9f0d1c1b377b0ab5804808f24032be965a571b8/lib/osv/ecosystems.py#L313-L321
3
- */
4
- export declare const ecosystems: readonly ["crates.io", "Go", "Maven", "npm", "NuGet", "PyPI", "RubyGems"];
1
+ export declare const ecosystems: readonly ["crates.io", "Go", "Hex", "Maven", "npm", "NuGet", "Packagist", "PyPI", "RubyGems"];
5
2
  export type Ecosystem = typeof ecosystems[number];
@@ -1,15 +1,15 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.ecosystems = void 0;
4
- /**
5
- * https://github.com/google/osv/blob/b9f0d1c1b377b0ab5804808f24032be965a571b8/lib/osv/ecosystems.py#L313-L321
6
- */
4
+ // https://github.com/google/osv.dev/blob/edacbd3c32b1d632bad8c5b506a14d0850b2e537/osv/ecosystems.py#L659-L679
7
5
  exports.ecosystems = [
8
6
  'crates.io',
9
7
  'Go',
8
+ 'Hex',
10
9
  'Maven',
11
10
  'npm',
12
11
  'NuGet',
12
+ 'Packagist',
13
13
  'PyPI',
14
14
  'RubyGems',
15
15
  ];
package/dist/lib/osv.d.ts CHANGED
@@ -1,62 +1,69 @@
1
1
  /**
2
2
  * A schema for describing a vulnerability in an open source package.
3
+ *
4
+ * https://github.com/ossf/osv-schema/blob/main/validation/schema.json
3
5
  */
4
6
  export interface Vulnerability {
5
- affected?: Affected[];
7
+ schema_version?: string;
8
+ id: string;
9
+ modified: string;
10
+ published?: string;
11
+ withdrawn?: string;
6
12
  aliases?: string[];
13
+ related?: string[];
14
+ summary?: string;
15
+ details?: string;
16
+ severity?: Severity[];
17
+ affected?: Affected[];
18
+ references?: Reference[];
7
19
  credits?: Credit[];
8
- databaseSpecific?: {
20
+ database_specific?: {
9
21
  [key: string]: unknown;
10
22
  };
11
- details?: string;
12
- id: string;
13
- modified: Date;
14
- published?: Date;
15
- references?: Reference[];
16
- related?: string[];
17
- schemaVersion?: string;
18
- severity?: Severity[];
19
- summary?: string;
20
- withdrawn?: Date;
21
23
  }
22
24
  export interface Affected {
23
- databaseSpecific?: {
25
+ package?: Package;
26
+ severity?: Severity[];
27
+ ranges?: Range[];
28
+ versions?: string[];
29
+ ecosystem_specific?: {
24
30
  [key: string]: unknown;
25
31
  };
26
- ecosystemSpecific?: {
32
+ database_specific?: {
27
33
  [key: string]: unknown;
28
34
  };
29
- package?: Package;
30
- ranges?: Range[];
31
- versions?: string[];
32
35
  }
36
+ export interface Severity {
37
+ type: SeverityType;
38
+ score: string;
39
+ }
40
+ export type SeverityType = 'CVSS_V3' | 'CVSS_V2';
33
41
  export interface Package {
34
42
  ecosystem: string;
35
43
  name: string;
36
44
  purl?: string;
37
45
  }
38
46
  export interface Range {
39
- events: Event[];
40
- repo?: string;
41
47
  type: RangeType;
48
+ repo?: string;
49
+ events: Event[];
50
+ database_specific?: {
51
+ [key: string]: unknown;
52
+ };
42
53
  }
54
+ export type RangeType = 'ECOSYSTEM' | 'GIT' | 'SEMVER';
43
55
  export interface Event {
44
56
  introduced?: string;
45
57
  fixed?: string;
58
+ last_affected?: string;
46
59
  limit?: string;
47
60
  }
48
- export type RangeType = 'ECOSYSTEM' | 'GIT' | 'SEMVER';
49
- export interface Credit {
50
- contact?: string[];
51
- name: string;
52
- }
53
61
  export interface Reference {
54
62
  type: ReferenceType;
55
63
  url: string;
56
64
  }
57
- export type ReferenceType = 'ADVISORY' | 'ARTICLE' | 'FIX' | 'GIT' | 'PACKAGE' | 'REPORT' | 'WEB';
58
- export interface Severity {
59
- score: string;
60
- type: SeverityType;
65
+ export interface Credit {
66
+ name: string;
67
+ contact?: string[];
61
68
  }
62
- export type SeverityType = 'CVSS_V3';
69
+ export type ReferenceType = 'ADVISORY' | 'ARTICLE' | 'REPORT' | 'FIX' | 'GIT' | 'PACKAGE' | 'EVIDENCE' | 'WEB';
@@ -0,0 +1,2 @@
1
+ import type { Ecosystem } from './ecosystem';
2
+ export declare function packageToPurl(ecosystem: Ecosystem, packageName: string): string;
@@ -0,0 +1,28 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.packageToPurl = void 0;
4
+ // https://github.com/google/osv.dev/blob/edacbd3c32b1d632bad8c5b506a14d0850b2e537/osv/purl_helpers.py#L18-L30
5
+ const PURL_ECOSYSTEMS = {
6
+ 'crates.io': 'cargo',
7
+ Go: 'golang',
8
+ Hex: 'hex',
9
+ Maven: 'maven',
10
+ NuGet: 'nuget',
11
+ npm: 'npm',
12
+ Packagist: 'composer',
13
+ PyPI: 'pypi',
14
+ RubyGems: 'gem',
15
+ };
16
+ function urlEncode(packageName) {
17
+ const parts = packageName.split('/');
18
+ return parts.map(encodeURIComponent).join('/');
19
+ }
20
+ function packageToPurl(ecosystem, packageName) {
21
+ let packageNamePurl = packageName;
22
+ const purlType = PURL_ECOSYSTEMS[ecosystem];
23
+ if (purlType === 'maven') {
24
+ packageNamePurl = packageName.replace(':', '/');
25
+ }
26
+ return `pkg:${purlType}/${urlEncode(packageNamePurl)}`;
27
+ }
28
+ exports.packageToPurl = packageToPurl;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@renovatebot/osv-offline-db",
3
- "version": "1.1.0",
3
+ "version": "1.3.0",
4
4
  "main": "dist/index.js",
5
5
  "types": "dist/index.d.ts",
6
6
  "license": "MIT",
@@ -13,7 +13,7 @@
13
13
  "devDependencies": {
14
14
  "@tsconfig/node14": "1.0.3",
15
15
  "@types/node": "18.11.18",
16
- "prettier": "2.8.1",
16
+ "prettier": "2.8.3",
17
17
  "ts-node": "10.9.1",
18
18
  "typescript": "4.9.4"
19
19
  }