osv.dev: Packagist vulnerabilities are not being reported for some packages
I’ve recently done an initial implementation for having osv-detector use the osv.dev api, but it looks like it’s not 1:1 with the offline databases, at least for Packagist.
Using this lockfile:
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "b63765525e5fabcf664728d548ecf8a2",
"packages": [
{
"name": "enshrined/svg-sanitize",
"version": "0.13.3",
"source": {
"type": "git",
"url": "https://github.com/darylldoyle/svg-sanitizer.git",
"reference": "bc66593f255b7d2613d8f22041180036979b6403"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/bc66593f255b7d2613d8f22041180036979b6403",
"reference": "bc66593f255b7d2613d8f22041180036979b6403",
"shasum": ""
},
"require": {
"ext-dom": "*",
"ext-libxml": "*"
},
"require-dev": {
"codeclimate/php-test-reporter": "^0.1.2",
"phpunit/phpunit": "^6"
},
"type": "library",
"autoload": {
"psr-4": {
"enshrined\\svgSanitize\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"GPL-2.0-or-later"
],
"authors": [
{
"name": "Daryll Doyle",
"email": "daryll@enshrined.co.uk"
}
],
"description": "An SVG sanitizer for PHP",
"time": "2020-01-20T01:34:17+00:00"
}
],
"packages-dev": [],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": [],
"prefer-stable": false,
"prefer-lowest": false,
"platform": [],
"platform-dev": []
}
❯ osv-detector-t --use-api --parse-as composer.lock /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
/mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt: found 1 package
no known vulnerabilities found
❯ osv-detector-t --use-dbs --parse-as composer.lock /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
/mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt: found 1 package
Loading OSV databases for the following ecosystems:
Packagist (862 vulnerabilities, including withdrawn - last updated Fri, 13 May 2022 23:58:47 GMT)
enshrined/svg-sanitize@0.13.3 is affected by the following vulnerabilities:
GHSA-fqx8-v33p-4qcc: Cross-site Scripting in enshrined/svg-sanitize (https://github.com/advisories/GHSA-fqx8-v33p-4qcc)
1 known vulnerability found in /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
The vulnerability here correctly lists says it affects versions below 0.15.0, but it’s not reported even if I use the version:
❯ curl -X POST -d '{"commit": "bc66593f255b7d2613d8f22041180036979b6403"}' 'https://api.osv.dev/v1/query'
{}
❯ curl -X POST -d '{"package": {"name": "enshrined/svg-sanitize"}, "version": "0.13.3"}' 'https://api.osv.dev/v1/query'
{}
❯ curl -X POST -d '{"package": {"name": "enshrined/svg-sanitize", "ecosystem": "Packagist"}, "version": "0.13.3"}' 'https://api.osv.dev/v1/query'
{}
Going with the lowest version for this package doesn’t return anything either, when it should return three vulnerabilities.
(my current theory is that this because the advisory doesn’t have any versions, and the api isn’t checking against ranges?)
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 15 (6 by maintainers)
Closing this one as the required work is being tracked in https://github.com/google/osv.dev/issues/230.
It’s at https://github.com/google/osv/blob/master/lib/osv/ecosystems.py