Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fetching vulnerabilities via api for ubuntu packages by purl with version does not work #2842

Open
Andre-85 opened this issue Nov 8, 2024 · 4 comments
Open

Fetching vulnerabilities via api for ubuntu packages by purl with version does not work #2842

Andre-85 opened this issue Nov 8, 2024 · 4 comments
Assignees
@hogo6002
Labels
api API-related infrastructure cleanup Code hygiene and cleanup

Comments

@Andre-85
Copy link

Andre-85 commented Nov 8, 2024
edited
Loading

Hello everyone,
I tried to fetch vulnerabilities via api with the purl (Package URL). The SBOM from which I am extracting the packages, the purl has following format: pkg:deb/ubuntu/PACKAGE_NAME@VERSION.

What I've tested:

  1. the api works with purls like this for e.g. maven packages. Test:
    curl -d '{"package": {"purl": "pkg:maven/org.apache.struts/[email protected]"}}' https://api.osv.dev/v1/query
  2. Ubuntu purls work if i know the arch and the distribution. Test:
    curl -d '{"package": {"purl": "pkg:deb/ubuntu/ruby-sinatra?arch=src?distro=jammy"}}' https://api.osv.dev/v1/query
  3. It works if I split the purl in package-name, version, namespace(==ecosystem). Test:
    curl -d '{"package": {"name": "atftp"}, "version": "0.7.git20120829-3.1~0.18.04.1", ecosystem: "ubuntu"}' https://api.osv.dev/v1/query
  4. But giving the purl only for the same package and version like in 3., returns nothing. Test:
    curl -d '{"package": {"purl": "pkg:deb/ubuntu/[email protected]~0.18.04.1"}}' https://api.osv.dev/v1/query
  5. Additionally i found out that this works for debian packages coming directly from Debian. Test:
    curl -d '{"package": {"purl": "pkg:deb/debian/[email protected]+deb10u3"}}' https://api.osv.dev/v1/query

Right now I use (3.) as a workaround, but i would be nice if it could work like (1.).Thank you very much for your help in advance.Greetings,
André
@cuixq cuixq added the api API-related infrastructure label Nov 19, 2024
@cuixq
Copy link
Contributor

cuixq commented Nov 19, 2024

@hogo6002 can you help to answer this?

@Andre-85
Copy link
Author

If you could help this would be great. Meanwhile it tried to understand how the osv.dev service works. My plan was to run a api-server in a Docker/Podman container and test patches on it and connect it to osv.dev database in the internet. Setting up with Podman works:
`
podman build --file gcp/api/Dockerfile -t osv-api .
podman run -p 8000:8000 osv-api:latest

`
But because of missing/wrong ndb credentials I cannot connect to osv.dev database. Did I do a mistake or is such a test setup not possible at all because the access to the database itself is private to google's osv.dev service?

@hogo6002
Copy link
Contributor

Hi @Andre-85, thanks for reporting this issue!

But because of missing/wrong ndb credentials I cannot connect to osv.dev database. Did I do a mistake or is such a test setup not possible at all because the access to the database itself is private to google's osv.dev service?

You didn't make any mistakes, and this is by design. Currently, only we can set up the API locally because it requires the ndb credentials.

The issue is due to the ecosystem being falsely parsed from the PURL in OSV. We currently get the ecosystem name from purl.type, which works for project ecosystems such as npm and Maven. However, for Linux distributions, several ecosystems may use the same package management system. For example, both Debian and Ubuntu use Debian package management, and the purl.type here would be deb, so we treated the Ubuntu query as a Debian version query. This is why the version query works with Debian but not with Ubuntu (we perform an ecosystem check for version queries).

PURL spec: scheme:type/namespace/name@version?qualifiers#subpath

To solve this, we will use purl.namespace to get the ecosystem for Linux distributions.
Thanks again for reporting this with a detailed explanation of the problem. A fix will be coming soon!

@Andre-85
Copy link
Author

That's great news! I can't wait for testing it!

Thank you very much 👍

@hogo6002 hogo6002 added the cleanup Code hygiene and cleanup label Nov 25, 2024
@hogo6002 hogo6002 mentioned this issue Nov 26, 2024
Merged
hogo6002 added a commit that referenced this issue Nov 28, 2024
@hogo6002
refactor(api): refactor purl API query code (#2900)
7496fb4 
Converted PURL queries to package queries in `do_query()` to remove
unnecessary code. Querying the Datastore directly with PURLs gives the
same results as querying by package name, so we can simplify things by
treating PURLs like regular package queries after extracting the
`package/ecosystem/version`.

This will also resolve issue #2842 by rewriting the PURL-to-ecosystem
logic. For most ecosystems, we can get the name from `purl.type`, but
for Linux distributions, we need to use `purl.namespace`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hogo6002 hogo6002

Labels
api API-related infrastructure cleanup Code hygiene and cleanup
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hogo6002 @Andre-85 @cuixq