osv 0.3.0

Rust library for parsing the OSV schema and client API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

//!
//! # Overview
//!
//! The osv client library provides a thin layer of abstraction
//! over the open source vulnerability (osv) database API. The osv database is
//! an open, precise and distributed approach to producing and consuming
//! vulnerability information for open source projects.
//!
//! This library currently provides a mean to find out whether a particular package
//! version is affected by any vulnerabilities and to fetch specific information
//! about a vulnerability within a number of different package ecosystems. It
//! is the intention to follow along with osv evolution and provide quality
//! type safe bindings to API for rust clients.
//!
//! The models and endpoints are derived from the documentation
//! published on <https://osv.dev/> directly.
//!
//! # Examples
//!
//! ```
//! use comfy_table::Table;
//! use osv::schema::Ecosystem::PyPI;
//! use textwrap::termwidth;
//!
//! #[tokio::main]
//! async fn main() -> Result<(), osv::client::ApiError> {
//!
//!    if let Some(vulns) = osv::client::query_package("jinja2", "2.4.1", PyPI).await? {
//!        let default = String::from("-");
//!        let linewrap = (termwidth() as f32 / 3.0 * 2.0).round() as usize;
//!        let mut table = Table::new();
//!        table.set_header(vec!["Vulnerability ID", "Details"]);
//!        for vuln in &vulns {
//!            let details = vuln.details.as_ref().unwrap_or(&default);
//!            let details = textwrap::wrap(details, linewrap).join("\n");
//!            table.add_row(vec![&vuln.id, &details]);
//!        }
//!        println!("{table}");
//!    }
//!    Ok(())
//!}
//! ```
//!
//! There are more examples [here](https://github.com/gcmurphy/osv/tree/master/examples) that demonstrate usage.

use super::schema::*;
use reqwest::StatusCode;
use serde::{Deserialize, Serialize};
use thiserror::Error;
use url::Url;

/// A Request encapsulates the different payloads that will be accepted by the
/// osv.dev API server. You can either submit a query to the server using a
/// commit hash or alternatively a package and version pair.
#[derive(Debug, Serialize)]
#[serde(untagged)]
pub enum Request {
    /// Query the vulnerability sources by commit ID
    CommitQuery { commit: Commit },

    /// Query the vulnerability sources by package and version pair.
    PackageQuery { version: Version, package: Package },
}

#[derive(Debug, Serialize, Deserialize)]
#[serde(untagged)]
enum Response {
    Vulnerabilities { vulns: Vec<Vulnerability> },
    NoResult(serde_json::Value),
}

/// ApiError is the common error type when a request is rejected
/// by the api.osv.dev endpoint, the response is not understood
/// by the client or there is an underlying connection
/// problem.
#[derive(Error, Debug)]
#[non_exhaustive]
pub enum ApiError {
    #[error("requested resource {0} not found")]
    NotFound(String),

    #[error("invalid request url: {0:?}")]
    InvalidUrl(#[from] url::ParseError),

    #[error("serialization failure: {0:?}")]
    SerializationError(#[from] serde_json::Error),

    #[error("request to osv endpoint failed: {0:?}")]
    RequestFailed(reqwest::Error),

    #[error("unexpected error has occurred")]
    Unexpected,
}

impl From<reqwest::Error> for ApiError {
    fn from(err: reqwest::Error) -> Self {
        ApiError::RequestFailed(err)
    }
}

///
/// Query the underlying Open Source Vulnerability (osv) database for
/// any vulnerabilities associated with either a package or a commit.
///
/// The request can either be based on a commit or package and version
/// tuple. When querying a package you also need to specify the package
/// ecosystem the package belongs to.
///
/// Note that - [`query_commit`](query_commit) and [`query_package`](query_package) are convenience wrappers
/// for this function and should be favoured over calling [`query`](query) directly.
///
///
/// # Examples
///
/// ```
/// # use tokio_test;
/// # tokio_test::block_on(async {
/// let ver = osv::schema::Version::from("2.4.1");
/// let pkg = "jinja2".to_string();
/// let req = osv::client::Request::PackageQuery {
///             version: ver,
///             package: osv::schema::Package {
///                name: pkg,
///                ecosystem: osv::schema::Ecosystem::PyPI,
///                purl: None,
///            }
///     };
///
/// let resp = osv::client::query(&req).await.expect("vulnerabilities expected");
/// println!("{:#?}", resp.unwrap());
/// # });
/// ```
///
///
pub async fn query(q: &Request) -> Result<Option<Vec<Vulnerability>>, ApiError> {
    let client = reqwest::Client::new();
    let res = client
        .post("https://api.osv.dev/v1/query")
        .json(q)
        .send()
        .await?;

    match res.status() {
        StatusCode::NOT_FOUND => {
            let err = match q {
                Request::PackageQuery {
                    version: _,
                    package: pkg,
                } => {
                    format!("package - `{}`", pkg.name)
                }
                Request::CommitQuery { commit: c } => {
                    format!("commit - `{}`", c)
                }
            };
            Err(ApiError::NotFound(err))
        }
        _ => {
            let vulns: Response = res.json().await?;
            match vulns {
                Response::Vulnerabilities { vulns: vs } => Ok(Some(vs)),
                _ => Ok(None),
            }
        }
    }
}

///
/// Query the Open Source Vulnerability (osv) database for
/// vulnerabilities associated with the specified package
/// and version.
///
/// See <https://osv.dev/docs/#operation/OSV_QueryAffected> for more
/// details.
///
/// # Examples
///
/// ```
/// use osv::client::query_package;
/// use osv::schema::Ecosystem::PyPI;
/// # use tokio_test;
/// # tokio_test::block_on(async {
///     let pkg = "jinja2";
///     let ver = "2.4.1";
///     if let Some(vulns) = query_package(pkg, ver, PyPI).await.unwrap() {
///         for vuln in &vulns {
///             println!("{:#?} - {:#?}", vuln.id, vuln.details);
///             if let Some(affected_range) = &vuln.affected {
///                 for affected in affected_range {
///                     println!("    {:#?}", affected.ranges);
///                 }
///             }
///         }
///     } else {
///         println!("no known vulnerabilities for {} v{}", pkg, ver);
///     }
/// # });
/// ```
pub async fn query_package(
    name: &str,
    version: &str,
    ecosystem: Ecosystem,
) -> Result<Option<Vec<Vulnerability>>, ApiError> {
    let req = Request::PackageQuery {
        version: Version::from(version),
        package: Package {
            name: name.to_string(),
            ecosystem,
            purl: None,
        },
    };

    query(&req).await
}

///
/// Query the Open Source Vulnerability (osv) database for
/// vulnerabilities based on a Git commit SHA1.
///
/// See <https://osv.dev/docs/#operation/OSV_QueryAffected> for more details
/// and examples.
///
/// # Examples
///
/// ```
/// # use osv::client::query_commit;
/// # use tokio_test;
/// # tokio_test::block_on(async {
/// let vulnerable = query_commit("6879efc2c1596d11a6a6ad296f80063b558d5e0f")
///         .await
///         .expect("api error");
///
/// match vulnerable {
///     Some(affected) => println!("{:#?}", affected),
///     None => println!("all clear!"),
/// }
/// # });
/// ```
///
pub async fn query_commit(commit: &str) -> Result<Option<Vec<Vulnerability>>, ApiError> {
    let req = Request::CommitQuery {
        commit: Commit::from(commit),
    };
    query(&req).await
}

///
/// Query the osv database for vulnerability by ID.
///
/// # Examples
///
/// ```
/// # use tokio::task;
/// use osv::client::vulnerability;
/// # use tokio_test;
/// # tokio_test::block_on(async {
/// let vuln = vulnerability("OSV-2020-484").await.unwrap();
/// assert!(vuln.id.eq("OSV-2020-484"));
///
/// # });
/// ```
pub async fn vulnerability(vuln_id: &str) -> Result<Vulnerability, ApiError> {
    let base = Url::parse("https://api.osv.dev/v1/vulns/")?;
    let req = base.join(vuln_id)?;
    let res = reqwest::get(req.as_str()).await?;
    if res.status() == StatusCode::NOT_FOUND {
        Err(ApiError::NotFound(vuln_id.to_string()))
    } else {
        let vuln: Vulnerability = res.json().await?;
        Ok(vuln)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn test_package_query() {
        let req = Request::PackageQuery {
            version: Version::from("2.4.1"),
            package: Package {
                name: "jinja2".to_string(),
                ecosystem: Ecosystem::PyPI,
                purl: None,
            },
        };
        let res = query(&req).await.unwrap();
        assert!(res.is_some());
    }

    #[tokio::test]
    async fn test_package_query_wrapper() {
        let res = query_package("jinja2", "2.4.1", Ecosystem::PyPI)
            .await
            .unwrap();
        assert!(res.is_some());
    }

    #[tokio::test]
    async fn test_invalid_packagename() {
        let res = query_package(
            "asdfasdlfkjlksdjfklsdjfklsdjfklds",
            "0.0.1",
            Ecosystem::PyPI,
        )
        .await
        .unwrap();
        assert!(res.is_none());
    }

    #[tokio::test]
    async fn test_commit_query() {
        let req = Request::CommitQuery {
            commit: Commit::from("6879efc2c1596d11a6a6ad296f80063b558d5e0f"),
        };
        let res = query(&req).await.unwrap();
        assert!(res.is_some());
    }

    #[tokio::test]
    async fn test_commit_query_wrapper() {
        let res = query_commit("6879efc2c1596d11a6a6ad296f80063b558d5e0f")
            .await
            .unwrap();
        assert!(res.is_some());
    }

    #[tokio::test]
    async fn test_invalid_commit() {
        let res = query_commit("zzzz").await.unwrap();
        assert!(res.is_none());
    }

    #[tokio::test]
    async fn test_vulnerability() {
        let res = vulnerability("OSV-2020-484").await;
        assert!(res.is_ok());
    }

    #[tokio::test]
    async fn test_get_missing_cve() {
        let res = vulnerability("CVE-2014-0161").await;
        assert!(res.is_err());
    }
}