add initial config for vulntotal

- add osv validator

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

vulntotal/validator.py

@@ -0,0 +1,51 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnTotal software is licensed under the Apache License version 2.0.
+# Data generated with VulnTotal require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnTotal or any VulnTotal
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+# Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# VulnTotal should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+# VulnTotal is a free software tool from nexB Inc. and others.
+# Visit https://github.com/nexB/vulnerablecode/ for support and download.
+
+import dataclasses
+import json
+from typing import Iterable
+from typing import List
+
+
+@dataclasses.dataclass(order=True)
+class VendorData:
+ raw_dump: str = ""
+ aliases: List[str] = dataclasses.field(default_factory=list)
+ affected_versions: List[str] = dataclasses.field(default_factory=list)
+ fixed_versions: List[str] = dataclasses.field(default_factory=list)
+
+ def to_dict(self):
+ return {
+ "affected_versions": self.affected_versions,
+ "fixed_versions": self.fixed_versions,
+ "aliases": self.aliases,
+ "raw_dump": self.raw_dump,
+ }
+
+
+class Validator:
+ def validator_advisory(self, purl) -> Iterable[VendorData]:
+ """
+ Yield VendorData object corresponding to vendor
+ """
+ return NotImplementedError

vulntotal/validator_runner.py

@@ -0,0 +1,22 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnTotal software is licensed under the Apache License version 2.0.
+# Data generated with VulnTotal require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnTotal or any VulnTotal
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+# Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# VulnTotal should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+# VulnTotal is a free software tool from nexB Inc. and others.
+# Visit https://github.com/nexB/vulnerablecode/ for support and download.

vulntotal/validators/__init__.py

@@ -0,0 +1,22 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnTotal software is licensed under the Apache License version 2.0.
+# Data generated with VulnTotal require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnTotal or any VulnTotal
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+# Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# VulnTotal should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+# VulnTotal is a free software tool from nexB Inc. and others.
+# Visit https://github.com/nexB/vulnerablecode/ for support and download.

vulntotal/validators/osv.py

@@ -0,0 +1,76 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnTotal software is licensed under the Apache License version 2.0.
+# Data generated with VulnTotal require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnTotal or any VulnTotal
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+# Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# VulnTotal should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+# VulnTotal is a free software tool from nexB Inc. and others.
+# Visit https://github.com/nexB/vulnerablecode/ for support and download.
+
+import json
+from typing import Iterable
+
+import requests
+from packageurl import PackageURL
+
+from vulntotal.validator import Validator
+from vulntotal.validator import VendorData
+
+
+class OSVValidator(Validator):
+ spdx_license_expression = "Apache-2.0"
+ license_url = "https://github.com/google/osv/blob/master/LICENSE"
+
+ def validator_advisory(self, purl) -> Iterable[VendorData]:
+
+ # source https://ossf.github.io/osv-schema/
+ supported_ecosystem = {
+ "npm": "npm",
+ "maven": "Maven",
+ "go": "Go",
+ "nuget": "NuGet",
+ "pypi": "PyPI",
+ "rubygems": "RubyGems",
+ "crates.io": "crates.io",
+ "packagist": "Packagist",
+ "linux": "Linux",
+ "oss-fuzz": "OSS-Fuzz",
+ "debian": "Debian",
+ "hex": "Hex",
+ "android": "Android",
+ }
+ url = "https://api.osv.dev/v1/query"
+
+ requestpayload = {}
+ requestpayload["version"] = purl.version
+ requestpayload["package"] = {}
+ requestpayload["package"]["name"] = purl.name
+ if purl.type in supported_ecosystem:
+ requestpayload["package"]["ecosystem"] = supported_ecosystem[purl.type]
+
+ raw_response = requests.post(url, data=str(requestpayload))
+ response = json.loads(raw_response.text)
+
+ for vuln in response["vulns"]:
+ fixed = [fix["events"][1]["fixed"] for fix in vuln["affected"][0]["ranges"]]
+
+ yield VendorData(
+ aliases=vuln["aliases"],
+ affected_versions=vuln["affected"][0]["versions"],
+ fixed_versions=fixed,
+ raw_dump=raw_response.text,
+ )

vulntotal/validators/vulnerablecode.py

@@ -0,0 +1,22 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnTotal software is licensed under the Apache License version 2.0.
+# Data generated with VulnTotal require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnTotal or any VulnTotal
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+# Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# VulnTotal should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+# VulnTotal is a free software tool from nexB Inc. and others.
+# Visit https://github.com/nexB/vulnerablecode/ for support and download.