diff --git a/go/internal/database/datastore/internal/validate/validate.go b/go/internal/database/datastore/internal/validate/validate.go index 37a2752df70..72bafc991d0 100644 --- a/go/internal/database/datastore/internal/validate/validate.go +++ b/go/internal/database/datastore/internal/validate/validate.go @@ -219,6 +219,7 @@ func writeRecords(ctx context.Context, client *datastore.Client) { Extension: ".yaml", KeyPath: "key", IgnoreGit: false, + AcceptedEcosystems: []string{"crates.io", "npm"}, DetectCherrypicks: true, ConsiderAllBranches: true, VersionsFromRepo: true, diff --git a/go/internal/database/datastore/internal/validate/validate.py b/go/internal/database/datastore/internal/validate/validate.py index 42270a2651a..67cda21356c 100644 --- a/go/internal/database/datastore/internal/validate/validate.py +++ b/go/internal/database/datastore/internal/validate/validate.py @@ -132,6 +132,7 @@ def main() -> int: extension='.json', key_path='vulnerability', ignore_git=False, + accepted_ecosystems=['Go', 'PyPI'], detect_cherrypicks=True, consider_all_branches=False, versions_from_repo=True, diff --git a/go/internal/database/datastore/models.go b/go/internal/database/datastore/models.go index d7d105f89dc..3ac6e958f29 100644 --- a/go/internal/database/datastore/models.go +++ b/go/internal/database/datastore/models.go @@ -141,6 +141,7 @@ type SourceRepository struct { Editable bool `datastore:"editable"` Extension string `datastore:"extension"` KeyPath string `datastore:"key_path"` + AcceptedEcosystems []string `datastore:"accepted_ecosystems"` IgnoreGit bool `datastore:"ignore_git"` DetectCherrypicks bool `datastore:"detect_cherrypicks"` ConsiderAllBranches bool `datastore:"consider_all_branches"` diff --git a/go/internal/database/datastore/source_repository.go b/go/internal/database/datastore/source_repository.go index d69199d48d5..7b46fe95f72 100644 --- a/go/internal/database/datastore/source_repository.go +++ b/go/internal/database/datastore/source_repository.go @@ -8,6 +8,7 @@ import ( "cloud.google.com/go/datastore" "github.com/google/osv.dev/go/internal/models" + "github.com/ossf/osv-schema/bindings/go/osvconstants" "google.golang.org/api/iterator" ) @@ -80,13 +81,18 @@ func (s *SourceRepositoryStore) All(ctx context.Context) iter.Seq2[*models.Sourc } func (sr *SourceRepository) toModel() *models.SourceRepository { + ecos := make([]osvconstants.Ecosystem, 0, len(sr.AcceptedEcosystems)) + for _, e := range sr.AcceptedEcosystems { + ecos = append(ecos, osvconstants.Ecosystem(e)) + } msr := &models.SourceRepository{ - Name: sr.Name, - Type: sr.Type, - Strictness: sr.StrictValidation, - IgnorePatterns: sr.IgnorePatterns, - Extension: sr.Extension, - KeyPath: sr.KeyPath, + Name: sr.Name, + Type: sr.Type, + Strictness: sr.StrictValidation, + IgnorePatterns: sr.IgnorePatterns, + AcceptedEcosystems: ecos, + Extension: sr.Extension, + KeyPath: sr.KeyPath, GitAnalysis: &models.GitAnalysisConfig{ IgnoreGit: sr.IgnoreGit, DetectCherrypicks: sr.DetectCherrypicks, @@ -126,16 +132,21 @@ func (sr *SourceRepository) toModel() *models.SourceRepository { } func newSourceRepositoryFromModel(r *models.SourceRepository) *SourceRepository { + ecos := make([]string, 0, len(r.AcceptedEcosystems)) + for _, e := range r.AcceptedEcosystems { + ecos = append(ecos, string(e)) + } sr := &SourceRepository{ - Name: r.Name, - Type: r.Type, - StrictValidation: r.Strictness, - IgnorePatterns: r.IgnorePatterns, - Extension: r.Extension, - KeyPath: r.KeyPath, - Link: r.Link, - HumanLink: r.HumanLink, - DBPrefix: r.IDPrefixes, + Name: r.Name, + Type: r.Type, + StrictValidation: r.Strictness, + IgnorePatterns: r.IgnorePatterns, + AcceptedEcosystems: ecos, + Extension: r.Extension, + KeyPath: r.KeyPath, + Link: r.Link, + HumanLink: r.HumanLink, + DBPrefix: r.IDPrefixes, } if r.GitAnalysis != nil { diff --git a/go/internal/models/source_repository.go b/go/internal/models/source_repository.go index ee1f9a9db5a..31ecfb1e4e0 100644 --- a/go/internal/models/source_repository.go +++ b/go/internal/models/source_repository.go @@ -5,6 +5,8 @@ import ( "context" "iter" "time" + + "github.com/ossf/osv-schema/bindings/go/osvconstants" ) type SourceRepositoryStore interface { @@ -53,6 +55,10 @@ type SourceRepository struct { // Git Content Analysis (Applied to Git commit ranges found in vulnerabilities) GitAnalysis *GitAnalysisConfig + // List of ecosystems that this source is allowed to import. + // A value of '*' means allow all ecosystems. + AcceptedEcosystems []osvconstants.Ecosystem + // HTTP link prefix to individual OSV source records. Link string // HTTP link prefix to individual vulnerability records for humans. diff --git a/go/internal/worker/engine_test.go b/go/internal/worker/engine_test.go index 4da91e579bc..7d235c5006f 100644 --- a/go/internal/worker/engine_test.go +++ b/go/internal/worker/engine_test.go @@ -112,7 +112,8 @@ func TestPipeline_EndToEnd_PortedFromPython(t *testing.T) { Stores: Stores{ SourceRepo: mockSourceRepoStore{ repo: &models.SourceRepository{ - Name: "source", + Name: "source", + AcceptedEcosystems: []osvconstants.Ecosystem{"*"}, GitAnalysis: &models.GitAnalysisConfig{ IgnoreGit: false, }, diff --git a/go/internal/worker/pipeline/filterecosystem/filterecosystem.go b/go/internal/worker/pipeline/filterecosystem/filterecosystem.go index 63f81800753..3d61a1ca7f3 100644 --- a/go/internal/worker/pipeline/filterecosystem/filterecosystem.go +++ b/go/internal/worker/pipeline/filterecosystem/filterecosystem.go @@ -4,11 +4,13 @@ package filterecosystem import ( "context" "log/slog" + "slices" "strings" "github.com/google/osv.dev/go/internal/osvutil/schema" "github.com/google/osv.dev/go/internal/worker/pipeline" "github.com/google/osv.dev/go/logger" + "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/proto" ) @@ -19,13 +21,17 @@ var _ pipeline.Enricher = (*Enricher)(nil) func (*Enricher) Enrich(ctx context.Context, vuln *osvschema.Vulnerability, params *pipeline.EnrichParams) error { newAffected := make([]*osvschema.Affected, 0, len(vuln.GetAffected())) + acceptedEcos := params.SourceRepo.AcceptedEcosystems + allowAll := slices.Contains(acceptedEcos, "*") for _, affected := range vuln.GetAffected() { pkg := affected.GetPackage() + if pkg == nil { + continue + } ecosystem := pkg.GetEcosystem() ecoBase, _, _ := strings.Cut(ecosystem, ":") shouldRemove := false - if params.SourceRepo.Name == "echo" && ecoBase != "Echo" { - // TODO(michaelkedar): Have a list of allowed ecosystems in the SourceRepo #5285 + if !allowAll && !slices.Contains(acceptedEcos, osvconstants.Ecosystem(ecoBase)) { shouldRemove = true } if !schema.IsKnownEcosystem(ecoBase) { diff --git a/go/internal/worker/pipeline/filterecosystem/filterecosystem_test.go b/go/internal/worker/pipeline/filterecosystem/filterecosystem_test.go index c2649b9f805..9a6f49787ea 100644 --- a/go/internal/worker/pipeline/filterecosystem/filterecosystem_test.go +++ b/go/internal/worker/pipeline/filterecosystem/filterecosystem_test.go @@ -7,6 +7,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/osv.dev/go/internal/models" "github.com/google/osv.dev/go/internal/worker/pipeline" + "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/testing/protocmp" ) @@ -17,13 +18,13 @@ func TestEnricher_Enrich(t *testing.T) { tests := []struct { name string - repoName string + acceptedEcos []osvconstants.Ecosystem affected []*osvschema.Affected expectedAffected []*osvschema.Affected }{ { - name: "Keep valid ecosystem", - repoName: "all-allowed", + name: "Keep valid ecosystem", + acceptedEcos: []osvconstants.Ecosystem{"*"}, affected: []*osvschema.Affected{ { Package: &osvschema.Package{ @@ -42,8 +43,8 @@ func TestEnricher_Enrich(t *testing.T) { }, }, { - name: "Filter out invalid ecosystem", - repoName: "all-allowed", + name: "Filter out invalid ecosystem", + acceptedEcos: []osvconstants.Ecosystem{"*"}, affected: []*osvschema.Affected{ { Package: &osvschema.Package{ @@ -55,8 +56,8 @@ func TestEnricher_Enrich(t *testing.T) { expectedAffected: []*osvschema.Affected{}, }, { - name: "Filter out non-Echo for Echo repo", - repoName: "echo", + name: "Filter out non-Echo for Echo repo", + acceptedEcos: []osvconstants.Ecosystem{osvconstants.EcosystemEcho}, affected: []*osvschema.Affected{ { Package: &osvschema.Package{ @@ -68,8 +69,8 @@ func TestEnricher_Enrich(t *testing.T) { expectedAffected: []*osvschema.Affected{}, }, { - name: "Keep Echo for Echo repo", - repoName: "echo", + name: "Keep Echo for Echo repo", + acceptedEcos: []osvconstants.Ecosystem{osvconstants.EcosystemEcho}, affected: []*osvschema.Affected{ { Package: &osvschema.Package{ @@ -88,8 +89,8 @@ func TestEnricher_Enrich(t *testing.T) { }, }, { - name: "Preserve GIT ranges when filtering ecosystem", - repoName: "all-allowed", + name: "Preserve GIT ranges when filtering ecosystem", + acceptedEcos: []osvconstants.Ecosystem{"*"}, affected: []*osvschema.Affected{ { Package: &osvschema.Package{ @@ -128,8 +129,8 @@ func TestEnricher_Enrich(t *testing.T) { }, }, { - name: "Mixed valid and invalid ecosystems", - repoName: "all-allowed", + name: "Mixed valid and invalid ecosystems", + acceptedEcos: []osvconstants.Ecosystem{"*"}, affected: []*osvschema.Affected{ { Package: &osvschema.Package{ @@ -164,7 +165,7 @@ func TestEnricher_Enrich(t *testing.T) { params := &pipeline.EnrichParams{ SourceRepo: &models.SourceRepository{ - Name: tc.repoName, + AcceptedEcosystems: tc.acceptedEcos, }, } diff --git a/osv/models.py b/osv/models.py index b572bd46ea6..679d9031562 100644 --- a/osv/models.py +++ b/osv/models.py @@ -1545,6 +1545,9 @@ class SourceRepository(ndb.Model): key_path: str = ndb.StringProperty() # If true, don't analyze any Git ranges. ignore_git: bool = ndb.BooleanProperty(default=False) + # List of ecosystems that this source is allowed to import. + # A value of '*' means allow all ecosystems. + accepted_ecosystems: list[str] = ndb.StringProperty(repeated=True) # Whether to detect cherypicks or not (slow for large repos). detect_cherrypicks: bool = ndb.BooleanProperty(default=True) # Whether to consider all branches when analyzing GIT ranges. diff --git a/source.yaml b/source.yaml index c705f8df768..bb4e0039c35 100644 --- a/source.yaml +++ b/source.yaml @@ -8,6 +8,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ALBA-'] + accepted_ecosystems: ['AlmaLinux'] ignore_git: False human_link: '{% if ECOSYSTEMS|length >= 2 %}https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html{% endif %}' link: 'https://github.com/AlmaLinux/osv-database/blob/master/' @@ -23,6 +24,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ALEA-'] + accepted_ecosystems: ['AlmaLinux'] ignore_git: False human_link: '{% if ECOSYSTEMS|length >= 2 %}https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html{% endif %}' link: 'https://github.com/AlmaLinux/osv-database/blob/master/' @@ -38,6 +40,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ALSA-'] + accepted_ecosystems: ['AlmaLinux'] ignore_git: False human_link: '{% if ECOSYSTEMS|length >= 2 %}https://errata.almalinux.org/{{ ECOSYSTEMS[1].split(":")[1] }}/{{ BUG_ID | replace(":", "-", 1) }}.html{% endif %}' link: 'https://github.com/AlmaLinux/osv-database/blob/master/' @@ -53,6 +56,7 @@ extension: '.json' bucket: 'cve-osv-conversion' db_prefix: ['ALPINE-'] + accepted_ecosystems: ['Alpine'] ignore_git: True human_link: 'https://security.alpinelinux.org/vuln/{{ BUG_ID | replace("ALPINE-", "") }}' link: 'https://storage.googleapis.com/cve-osv-conversion/' @@ -67,6 +71,7 @@ extension: '.json' bucket: 'android-osv' db_prefix: ['A-', 'ASB-A', 'PUB-A'] + accepted_ecosystems: ['Android'] ignore_git: True link: 'https://storage.googleapis.com/android-osv/' editable: False @@ -81,6 +86,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['AZL-'] + accepted_ecosystems: ['Azure Linux'] ignore_git: False link: 'https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/' editable: False @@ -95,6 +101,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['BELL-'] + accepted_ecosystems: ['Alpaquita', 'BellSoft Hardened Containers'] ignore_git: False human_link: 'https://docs.bell-sw.com/security/cves/{{ BUG_ID }}/' link: 'https://github.com/bell-sw/osv-database/blob/master/' @@ -110,6 +117,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['BIT-'] + accepted_ecosystems: ['Bitnami'] ignore_git: False link: 'https://github.com/bitnami/vulndb/tree/main/' editable: False @@ -124,6 +132,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ROOT-'] + accepted_ecosystems: ['Root'] ignore_git: True human_link: 'https://root.io/security/{{ BUG_ID }}' link: 'https://api.root.io/external/osv/' @@ -139,6 +148,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['CGA-'] + accepted_ecosystems: ['Chainguard', 'Wolfi'] ignore_git: True link: 'https://packages.cgr.dev/chainguard/osv/' human_link: 'https://images.chainguard.dev/security/{{ BUG_ID }}' @@ -154,6 +164,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['CLEANSTART-'] + accepted_ecosystems: ['CleanStart'] ignore_git: True link: 'https://github.com/cleanstart-dev/cleanstart-security-advisories/blob/main/' editable: False @@ -168,6 +179,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['CURL-'] + accepted_ecosystems: [] # None: There is no curl ecosystem, they just publish GIT advisories ignore_git: False human_link: 'https://curl.se/docs/{{ BUG_ID | replace("CURL-", "") }}.html' link: 'https://curl.se/docs/' @@ -183,6 +195,7 @@ extension: '.json' bucket: 'cve-osv-conversion' db_prefix: ['CVE-'] + accepted_ecosystems: ['*'] # All ecosystems (we maintain these conversions) ignore_git: False human_link: 'https://cve.org/CVERecord?id={{ BUG_ID }}' link: 'https://storage.googleapis.com/cve-osv-conversion/' @@ -198,6 +211,7 @@ extension: '.json' bucket: 'debian-osv' db_prefix: ['DEBIAN-'] + accepted_ecosystems: ['Debian'] ignore_git: True human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID | replace("DEBIAN-", "") }}' link: 'https://storage.googleapis.com/debian-osv/' @@ -213,6 +227,7 @@ extension: '.json' bucket: 'debian-osv' db_prefix: ['DLA-'] + accepted_ecosystems: ['Debian'] ignore_git: True human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}' link: 'https://storage.googleapis.com/debian-osv/' @@ -228,6 +243,7 @@ extension: '.json' bucket: 'debian-osv' db_prefix: ['DSA-'] + accepted_ecosystems: ['Debian'] ignore_git: True human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}' link: 'https://storage.googleapis.com/debian-osv/' @@ -243,6 +259,7 @@ extension: '.json' bucket: 'debian-osv' db_prefix: ['DTSA-'] + accepted_ecosystems: ['Debian'] ignore_git: True human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}' link: 'https://storage.googleapis.com/debian-osv/' @@ -258,6 +275,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['DRUPAL-'] + accepted_ecosystems: ['Packagist'] ignore_git: True link: 'https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/' editable: False @@ -272,6 +290,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ECHO-'] + accepted_ecosystems: ['Echo'] ignore_git: True link: 'https://advisory.echohq.com/osv/' editable: False @@ -281,6 +300,7 @@ type: 2 rest_api_url: 'https://cna.erlef.org/osv/all.json' db_prefix: ['EEF-'] + accepted_ecosystems: ['Hex'] human_link: 'https://cna.erlef.org/osv/{{ BUG_ID }}.html' link: 'https://cna.erlef.org/osv/' directory_path: 'osv' @@ -300,6 +320,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['GHSA-'] + accepted_ecosystems: ['*'] # All ecosystems (We trust GHSA) ignore_git: True human_link: 'https://github.com/advisories/{{ BUG_ID }}' link: 'https://github.com/github/advisory-database/blob/main/' @@ -315,6 +336,7 @@ extension: '.json' bucket: 'go-vulndb' db_prefix: ['GO-'] + accepted_ecosystems: ['Go'] ignore_git: True human_link: 'https://pkg.go.dev/vuln/{{ BUG_ID }}' link: 'https://vuln.go.dev/' @@ -330,6 +352,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['HSEC-'] + accepted_ecosystems: ['Hackage', 'GHC'] ignore_git: False link: 'https://github.com/haskell/security-advisories/blob/generated/osv-export/' editable: False @@ -345,6 +368,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['JLSEC-'] + accepted_ecosystems: ['Julia'] ignore_git: False human_link: 'https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/{{ BUG_ID.split("-")[1] }}/{{ BUG_ID }}.md' link: 'https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/' @@ -361,6 +385,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['MGASA-'] + accepted_ecosystems: ['Mageia'] ignore_git: True human_link: 'https://advisories.mageia.org/{{ BUG_ID }}.html' link: 'https://advisories.mageia.org/' @@ -376,6 +401,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['MAL-'] + accepted_ecosystems: ['*'] # All ecosystems (we trust malicious packages) ignore_git: False link: 'https://github.com/ossf/malicious-packages/blob/main/' editable: False @@ -390,6 +416,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['MINI-'] + accepted_ecosystems: ['MinimOS'] ignore_git: True link: 'https://packages.mini.dev/advisories/osv/' editable: False @@ -404,6 +431,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['OSEC-'] + accepted_ecosystems: ['opam'] ignore_git: False link: 'https://github.com/ocaml/security-advisories/blob/generated-osv/' editable: False @@ -419,6 +447,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['OESA-'] + accepted_ecosystems: ['openEuler'] ignore_git: True human_link: 'https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-{{ BUG_ID | replace("OESA-", "") }}' link: 'https://repo.openeuler.org/security/data/osv/' @@ -434,6 +463,7 @@ detect_cherrypicks: True extension: '.yaml' db_prefix: ['OSV-'] + accepted_ecosystems: ['OSS-Fuzz'] ignore_git: False link: 'https://github.com/google/oss-fuzz-vulns/blob/main/' editable: True @@ -449,6 +479,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['PSF-'] + accepted_ecosystems: [] # None: PSF only publishes GIT advisories for cpython ignore_git: False link: 'https://github.com/psf/advisory-database/blob/main/' editable: False @@ -463,6 +494,7 @@ detect_cherrypicks: False extension: '.yaml' db_prefix: ['PYSEC-'] + accepted_ecosystems: ['PyPI'] ignore_git: False link: 'https://github.com/pypa/advisory-database/blob/main/' editable: False @@ -477,6 +509,7 @@ detect_cherrypicks: False extension: '.yaml' db_prefix: ['RSEC-'] + accepted_ecosystems: ['CRAN', 'Bioconductor'] ignore_git: False link: 'https://github.com/RConsortium/r-advisory-database/blob/main/' editable: False @@ -491,6 +524,7 @@ ignore_patterns: ['^(?!RH[BES]{1}A-).*$'] extension: '.json' db_prefix: ['RHBA-', 'RHEA-', 'RHSA-'] + accepted_ecosystems: ['Red Hat'] ignore_git: False human_link: 'https://access.redhat.com/errata/{{ BUG_ID }}' link: 'https://security.access.redhat.com/data/osv/' @@ -505,6 +539,7 @@ extension: '.json' bucket: 'resf-osv-data' db_prefix: ['RLSA-'] + accepted_ecosystems: ['Rocky Linux'] ignore_git: False human_link: 'https://errata.rockylinux.org/{{ BUG_ID }}' link: 'https://storage.googleapis.com/resf-osv-data/' @@ -519,6 +554,7 @@ extension: '.json' bucket: 'resf-osv-data' db_prefix: ['RXSA-'] + accepted_ecosystems: ['Rocky Linux'] ignore_git: False human_link: 'https://errata.rockylinux.org/{{ BUG_ID }}' link: 'https://storage.googleapis.com/resf-osv-data/' @@ -535,6 +571,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['RUSTSEC-'] + accepted_ecosystems: ['crates.io'] ignore_git: False human_link: 'https://rustsec.org/advisories/{{ BUG_ID }}' link: 'https://github.com/rustsec/advisory-db/blob/osv/' @@ -551,6 +588,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['openSUSE-', 'SUSE-'] + accepted_ecosystems: ['openSUSE', 'SUSE'] ignore_git: True human_link: 'https://www.suse.com/support/update/announcement/{{ BUG_ID.split(":")[0].split("-")[2] }}/{{ BUG_ID | replace(":", "") | lower }}/' link: 'https://ftp.suse.com/pub/projects/security/osv/' @@ -566,6 +604,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['UBUNTU-'] + accepted_ecosystems: ['Ubuntu'] ignore_git: False human_link: 'https://ubuntu.com/security/{{ BUG_ID | replace("UBUNTU-", "") }}' link: 'https://github.com/canonical/ubuntu-security-notices/blob/main/' @@ -581,6 +620,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['LSN-'] + accepted_ecosystems: ['Ubuntu'] ignore_git: False human_link: 'https://ubuntu.com/security/notices/{{ BUG_ID }}' link: 'https://github.com/canonical/ubuntu-security-notices/blob/main/' @@ -596,6 +636,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['USN-'] + accepted_ecosystems: ['Ubuntu'] ignore_git: False human_link: 'https://ubuntu.com/security/notices/{{ BUG_ID }}' link: 'https://github.com/canonical/ubuntu-security-notices/blob/main/' @@ -610,6 +651,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['GSD-'] + accepted_ecosystems: ['Linux'] ignore_git: False human_link: 'https://data.gsd.id/{{ BUG_ID }}' link: 'https://github.com/cloudsecurityalliance/gsd-database/blob/main/' @@ -628,6 +670,7 @@ consider_all_branches: True extension: '.json' db_prefix: ['V8-'] + accepted_ecosystems: [] # None: V8 only publishes GIT for v8 ignore_git: False human_link: 'https://github.com/google/chromium-policy-vulnfeed/blob/main/advisories/' link: 'https://github.com/google/chromium-policy-vulnfeed/blob/main/' diff --git a/source_test.yaml b/source_test.yaml index 97cc9af451e..c2d658d3590 100644 --- a/source_test.yaml +++ b/source_test.yaml @@ -8,6 +8,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ALBA-'] + accepted_ecosystems: ['AlmaLinux'] ignore_git: False human_link: '{% if ECOSYSTEM_VER %}https://errata.almalinux.org/{{ ECOSYSTEM_VER }}/{{ BUG_ID | replace(":", "-", 1) }}.html{% endif %}' link: 'https://github.com/AlmaLinux/osv-database/blob/master/' @@ -23,6 +24,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ALEA-'] + accepted_ecosystems: ['AlmaLinux'] ignore_git: False human_link: '{% if ECOSYSTEM_VER %}https://errata.almalinux.org/{{ ECOSYSTEM_VER }}/{{ BUG_ID | replace(":", "-", 1) }}.html{% endif %}' link: 'https://github.com/AlmaLinux/osv-database/blob/master/' @@ -38,6 +40,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ALSA-'] + accepted_ecosystems: ['AlmaLinux'] ignore_git: False human_link: '{% if ECOSYSTEM_VER %}https://errata.almalinux.org/{{ ECOSYSTEM_VER }}/{{ BUG_ID | replace(":", "-", 1) }}.html{% endif %}' link: 'https://github.com/AlmaLinux/osv-database/blob/master/' @@ -53,6 +56,7 @@ extension: '.json' bucket: 'osv-test-cve-osv-conversion' db_prefix: ['ALPINE-'] + accepted_ecosystems: ['Alpine'] ignore_git: True human_link: 'https://security.alpinelinux.org/vuln/{{ BUG_ID | replace("ALPINE-", "") }}' link: 'https://storage.googleapis.com/osv-test-cve-osv-conversion/' @@ -67,6 +71,7 @@ extension: '.json' bucket: 'android-osv-test' db_prefix: ['A-', 'ASB-A', 'PUB-A'] + accepted_ecosystems: ['Android'] ignore_git: True link: 'https://storage.googleapis.com/android-osv-test/' editable: False @@ -81,6 +86,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['AZL-'] + accepted_ecosystems: ['Azure Linux'] ignore_git: False link: 'https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/' editable: False @@ -95,6 +101,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['BELL-'] + accepted_ecosystems: ['Alpaquita', 'BellSoft Hardened Containers'] ignore_git: False human_link: 'https://docs.bell-sw.com/security/cves/{{ BUG_ID }}/' link: 'https://github.com/bell-sw/osv-database/blob/master/' @@ -110,6 +117,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['BIT-'] + accepted_ecosystems: ['Bitnami'] ignore_git: False link: 'https://github.com/bitnami/vulndb/tree/main/' editable: False @@ -124,6 +132,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['CGA-'] + accepted_ecosystems: ['Chainguard', 'Wolfi'] ignore_git: True link: 'https://packages.cgr.dev/chainguard/osv/' human_link: 'https://images.chainguard.dev/security/{{ BUG_ID }}' @@ -139,6 +148,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['CLEANSTART-'] + accepted_ecosystems: ['CleanStart'] ignore_git: True link: 'https://github.com/cleanstart-dev/cleanstart-security-advisories/blob/main/' editable: False @@ -153,6 +163,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['CURL-'] + accepted_ecosystems: [] # None: There is no curl ecosystem, they just publish GIT advisories ignore_git: False human_link: 'https://curl.se/docs/{{ BUG_ID | replace("CURL-", "") }}.html' link: 'https://curl.se/docs/' @@ -168,6 +179,7 @@ extension: '.json' bucket: 'osv-test-cve-osv-conversion' db_prefix: ['CVE-'] + accepted_ecosystems: ['*'] # All ecosystems (we maintain these conversions) ignore_git: False human_link: 'https://cve.org/CVERecord?id={{ BUG_ID }}' link: 'https://storage.googleapis.com/osv-test-cve-osv-conversion/' @@ -183,6 +195,7 @@ extension: '.json' bucket: 'osv-test-debian-osv' db_prefix: ['DEBIAN-'] + accepted_ecosystems: ['Debian'] ignore_git: True human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID | replace("DEBIAN-", "") }}' link: 'https://storage.googleapis.com/osv-test-debian-osv/' @@ -198,6 +211,7 @@ extension: '.json' bucket: 'osv-test-debian-osv' db_prefix: ['DLA-'] + accepted_ecosystems: ['Debian'] ignore_git: True human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}' link: 'https://storage.googleapis.com/debian-osv/' @@ -213,6 +227,7 @@ extension: '.json' bucket: 'osv-test-debian-osv' db_prefix: ['DSA-'] + accepted_ecosystems: ['Debian'] ignore_git: True human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}' link: 'https://storage.googleapis.com/debian-osv/' @@ -228,6 +243,7 @@ extension: '.json' bucket: 'osv-test-debian-osv' db_prefix: ['DTSA-'] + accepted_ecosystems: ['Debian'] ignore_git: True human_link: 'https://security-tracker.debian.org/tracker/{{ BUG_ID }}' link: 'https://storage.googleapis.com/debian-osv/' @@ -243,6 +259,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['DRUPAL-'] + accepted_ecosystems: ['Packagist'] ignore_git: True link: 'https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/' editable: False @@ -257,6 +274,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ECHO-'] + accepted_ecosystems: ['Echo'] ignore_git: True link: 'https://advisory.echohq.com/osv/' editable: False @@ -266,6 +284,7 @@ type: 2 rest_api_url: 'https://cna.erlef.org/osv/all.json' db_prefix: ['EEF-'] + accepted_ecosystems: ['Hex'] human_link: 'https://cna.erlef.org/osv/{{ BUG_ID }}.html' link: 'https://cna.erlef.org/osv/' directory_path: 'osv' @@ -285,6 +304,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['GHSA-'] + accepted_ecosystems: ['*'] # All ecosystems (We trust GHSA) ignore_git: True human_link: 'https://github.com/advisories/{{ BUG_ID }}' link: 'https://github.com/github/advisory-database/blob/main/' @@ -300,6 +320,7 @@ extension: '.json' bucket: 'go-vulndb' db_prefix: ['GO-'] + accepted_ecosystems: ['Go'] ignore_git: True human_link: 'https://pkg.go.dev/vuln/{{ BUG_ID }}' link: 'https://vuln.go.dev/' @@ -315,6 +336,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['HSEC-'] + accepted_ecosystems: ['Hackage', 'GHC'] ignore_git: False link: 'https://github.com/haskell/security-advisories/blob/generated/osv-export/' editable: False @@ -330,6 +352,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['JLSEC-'] + accepted_ecosystems: ['Julia'] ignore_git: False human_link: 'https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/{{ BUG_ID.split("-")[1] }}/{{ BUG_ID }}.md' link: 'https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/' @@ -346,6 +369,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['MGASA-'] + accepted_ecosystems: ['Mageia'] ignore_git: True human_link: 'https://advisories.mageia.org/{{ BUG_ID }}.html' link: 'https://advisories.mageia.org/' @@ -361,6 +385,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['MAL-'] + accepted_ecosystems: ['*'] # All ecosystems (we trust malicious packages) ignore_git: False link: 'https://github.com/ossf/malicious-packages/blob/main/' editable: False @@ -375,6 +400,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['MINI-'] + accepted_ecosystems: ['MinimOS'] ignore_git: True link: 'https://packages.mini.dev/advisories/osv/' editable: False @@ -389,6 +415,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['OSEC-'] + accepted_ecosystems: ['opam'] ignore_git: False link: 'https://github.com/ocaml/security-advisories/blob/generated-osv/' editable: False @@ -404,6 +431,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['OESA-'] + accepted_ecosystems: ['openEuler'] ignore_git: True human_link: 'https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-{{ BUG_ID | replace("OESA-", "") }}' link: 'https://repo.openeuler.org/security/data/osv/' @@ -420,6 +448,7 @@ detect_cherrypicks: True extension: '.yaml' db_prefix: ['OSV-'] + accepted_ecosystems: ['OSS-Fuzz'] ignore_git: False link: 'https://github.com/google/oss-fuzz-vulns/blob/main/' editable: False @@ -434,6 +463,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['PSF-'] + accepted_ecosystems: [] # None: PSF only publishes GIT advisories for cpython ignore_git: False link: 'https://github.com/psf/advisory-database/blob/main/' editable: False @@ -448,6 +478,7 @@ detect_cherrypicks: False extension: '.yaml' db_prefix: ['PYSEC-'] + accepted_ecosystems: ['PyPI'] ignore_git: False link: 'https://github.com/pypa/advisory-database/blob/main/' editable: False @@ -462,6 +493,7 @@ detect_cherrypicks: False extension: '.yaml' db_prefix: ['RSEC-'] + accepted_ecosystems: ['CRAN', 'Bioconductor'] ignore_git: False link: 'https://github.com/RConsortium/r-advisory-database/blob/main/' editable: False @@ -476,6 +508,7 @@ ignore_patterns: ['^(?!RH[BES]{1}A-).*$'] extension: '.json' db_prefix: ['RHBA-', 'RHEA-', 'RHSA-'] + accepted_ecosystems: ['Red Hat'] ignore_git: False human_link: 'https://access.redhat.com/errata/{{ BUG_ID }}' link: 'https://security.access.redhat.com/data/osv/' @@ -490,6 +523,7 @@ extension: '.json' bucket: 'resf-osv-data' db_prefix: ['RLSA-'] + accepted_ecosystems: ['Rocky Linux'] ignore_git: False human_link: 'https://errata.rockylinux.org/{{ BUG_ID }}' link: 'https://storage.googleapis.com/resf-osv-data/' @@ -504,6 +538,7 @@ extension: '.json' bucket: 'resf-osv-data' db_prefix: ['RXSA-'] + accepted_ecosystems: ['Rocky Linux'] ignore_git: False human_link: 'https://errata.rockylinux.org/{{ BUG_ID }}' link: 'https://storage.googleapis.com/resf-osv-data/' @@ -519,6 +554,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['ROOT-'] + accepted_ecosystems: ['Root'] ignore_git: True human_link: 'https://root.io/security/{{ BUG_ID }}' link: 'https://api.root.io/external/osv/' @@ -535,6 +571,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['RUSTSEC-'] + accepted_ecosystems: ['crates.io'] ignore_git: False human_link: 'https://rustsec.org/advisories/{{ BUG_ID }}' link: 'https://github.com/rustsec/advisory-db/blob/osv/' @@ -551,6 +588,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['openSUSE-', 'SUSE-'] + accepted_ecosystems: ['openSUSE', 'SUSE'] ignore_git: True human_link: 'https://www.suse.com/support/update/announcement/{{ BUG_ID.split(":")[0].split("-")[2] }}/{{ BUG_ID | replace(":", "") | lower }}/' link: 'https://ftp.suse.com/pub/projects/security/osv/' @@ -566,6 +604,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['CLSA-'] + accepted_ecosystems: ['TuxCare'] ignore_git: False link: 'https://github.com/cloudlinux/tuxcare-osv/tree/main/' editable: False @@ -580,6 +619,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['UBUNTU-'] + accepted_ecosystems: ['Ubuntu'] ignore_git: False human_link: 'https://ubuntu.com/security/{{ BUG_ID | replace("UBUNTU-", "") }}' link: 'https://github.com/canonical/ubuntu-security-notices/blob/main/' @@ -595,6 +635,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['LSN-'] + accepted_ecosystems: ['Ubuntu'] ignore_git: False human_link: 'https://ubuntu.com/security/notices/{{ BUG_ID }}' link: 'https://github.com/canonical/ubuntu-security-notices/blob/main/' @@ -610,6 +651,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['USN-'] + accepted_ecosystems: ['Ubuntu'] ignore_git: False human_link: 'https://ubuntu.com/security/notices/{{ BUG_ID }}' link: 'https://github.com/canonical/ubuntu-security-notices/blob/main/' @@ -624,6 +666,7 @@ detect_cherrypicks: False extension: '.json' db_prefix: ['GSD-'] + accepted_ecosystems: ['Linux'] ignore_git: False human_link: 'https://data.gsd.id/{{ BUG_ID }}' link: 'https://github.com/cloudsecurityalliance/gsd-database/blob/main/' @@ -642,6 +685,7 @@ consider_all_branches: True extension: '.json' db_prefix: ['V8-'] + accepted_ecosystems: [] # None: V8 only publishes GIT for v8 ignore_git: False human_link: 'https://github.com/google/chromium-policy-vulnfeed/blob/main/advisories/' link: 'https://github.com/google/chromium-policy-vulnfeed/blob/main/' diff --git a/tools/sourcerepo-sync/source_repo_default.yaml b/tools/sourcerepo-sync/source_repo_default.yaml index 3144c23d1cb..2f0f085f598 100644 --- a/tools/sourcerepo-sync/source_repo_default.yaml +++ b/tools/sourcerepo-sync/source_repo_default.yaml @@ -1,5 +1,7 @@ --- # Source Repository Default Configuration + # List of ecosystems to accept vulnerabilities for. '*' means accept all, empty list means accept none. + accepted_ecosystems: [] # Bucket name for SourceRepositoryType.BUCKET. bucket: # Whether to detect cherypicks or not (slow for large repos).