Export advisories in OSV format

[jaylinski]

Fixes #576

This commit adds an automatic OSV export to the osv branch while keeping the current repository as is.

Inspired by rustsec: https://github.com/rustsec/advisory-db/blob/main/.github/workflows/export-osv.yml

Preview

https://github.com/jaylinski/security-advisories/tree/osv

Possible improvements

• Validate generated JSON against spec (https://github.com/ossf/osv-schema/blob/main/validation/schema.json)
• Validate uniqueness of IDs

Before merging

• Create an empty osv branch with a readme similar to this one: https://github.com/rustsec/advisory-db/blob/osv/README.md

[jaylinski]

⚠️ This is not correct, because this DB only specifies ranges that are affected, but not the fixed version.

Maybe we can just convert versions like <8.22.1 to 8.22.1.

[naderman]

How useful is OSV if we cannot list fixed versions at all?

[jaylinski]

@naderman I worked around this by retrieving all package tags from the Packagist API and comparing the ranges with the tags by calling Semver::satisfies($version, implode(' ', $constraints)).

Example: https://github.com/jaylinski/security-advisories/blob/osv/packagist/CVE-2021-43608.json

What do you think about it?

[naderman]

Would it make more sense to add this to packagist.org's security advisories API as a new output format (which pulls data from this repo here)? As you'd have access to live package data there?

[jaylinski]

Yes, definitely. I wasn't aware of the packagist.org security advisories API.

Should I open a PR at the packagist.org repo?

[naderman]

Sure, go ahead! :-)

It's pretty simple right now, just a way to list advisories for a set of packages, see https://packagist.org/apidoc#list-security-advisories

[stof]

be careful. We have cases like >= 1.3.0, <2.0 where things are not fixed in 2.0 (if another branch has >=2.0 in its affected constraints)

[jaylinski]

That's true. I reworked it, see #599 (comment).

[stof]

$branch[0] is not a version but a constraint

[jaylinski]

That's true. I reworked it, see #599 (comment).

[stof]

this looks broken for packages using a custom repository

[jaylinski]

I'm now skipping packages that have a custom or no composer-repository.

[stof]

putting null in the array looks wrong to me

[jaylinski]

True. Since the validator enforces links anyway, I just skipped that check.

[icanhazstring]

Any new update here to get the fixed version into the list as well?

[jaylinski]

@icanhazstring The PHP and OSV vulnerability schemes don't have a fixed-field. Only the affected versions are listed.

(Or maybe I'm misunderstanding your question?)

[icanhazstring]

@jaylinski was referring to the comment from @naderman about the Packagist advisory api about the fixed version.

Or is it somewhat possible to get security issue listed with affected version and the next which fixes it?

[ohader]

Just wanted to leave that here (probably you knew it already):
e.g. https://github.com/github/advisory-database/blob/b07a1c25e2ec4fe59bf3dae2c6b7db3b02f4ae75/advisories/github-reviewed/2022/04/GHSA-x7cr-6qr6-2hh6/GHSA-x7cr-6qr6-2hh6.json

• gives an example of fixed and introduced nested in affected
• OSV items do exist already in GitHub's advisory DB - can we some "synchronize" multiple sources (did not think about the details & consequences, yet)

[naderman]

@ohader The packagist.org API already synchronizes and merges github's db and friendsofphp, e.g. see here: https://packagist.org/packages/guzzlehttp/guzzle/advisories?version=6278149

It would really just need someone to build an OSV compatible output for the data we collect there to have an OSV database for PHP.