Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support parsing commits from manifests #99

Open
5 of 9 tasks
G-Rath opened this issue Jun 6, 2022 · 4 comments
Open
5 of 9 tasks

Support parsing commits from manifests #99

G-Rath opened this issue Jun 6, 2022 · 4 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@G-Rath
Copy link
Owner

G-Rath commented Jun 6, 2022
edited
Loading

#94 adds support for using the osv.dev API which supports commits as well as versions - so we should make sure the manifest parsers are able to extract this information from their respective files as much as possible.

(This is mostly a place for me to dump info I find during research)

  • cargo.lock
  • package-lock.json
  • yarn.lock
  • pnpm-lock.yaml
  • composer.lock
  • Gemfile.lock
  • go.mod
  • pom.xml
  • requirements.txt
@G-Rath G-Rath added enhancement New feature or request help wanted Extra attention is needed labels Jun 6, 2022
@G-Rath
Copy link
Owner Author

G-Rath commented Jun 6, 2022
edited
Loading

cargo.lock

It looks like for crates.io, we want to extract this from the source property:

https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html#cargotoml-vs-cargolock

cargo.toml:

[package]
name = "hello_world"
version = "0.1.0"

[dependencies]
regex = { git = "https://github.com/rust-lang/regex.git" }

cargo.lock:

[[package]]
name = "hello_world"
version = "0.1.0"
dependencies = [
 "regex 1.5.0 (git+https://github.com/rust-lang/regex.git#9f9f693768c584971a4d53bc3c586c33ed3a6831)",
]

[[package]]
name = "regex"
version = "1.5.0"
source = "git+https://github.com/rust-lang/regex.git#9f9f693768c584971a4d53bc3c586c33ed3a6831"

@G-Rath

This comment was marked as resolved.

Sign in to view
@G-Rath

This comment was marked as resolved.

Sign in to view
This was referenced Jun 10, 2022
Merged
Merged
Merged
Merged
@G-Rath
Copy link
Owner Author

G-Rath commented Jun 14, 2022
edited
Loading

For go.mod things seem pretty well spec'd - we're wanting to parse "pseudo-versions": https://go.dev/ref/mod#glos-pseudo-version

A version that encodes a revision identifier (such as a Git commit hash) and a timestamp from a version control system. For example, v0.0.0-20191109021931-daa7c04131f5. Used for compatibility with non-module repositories and in other situations when a tagged version is not available.

and https://go.dev/ref/mod#vcs-pseudo:

The last 12 characters of the pseudo-version (daa7c04131f5 in the example above) indicate a revision in the repository to check out. The meaning of this depends on the version control system. For Git and Mercurial, this is a prefix of a commit hash. For Subversion, this is a zero-padded revision number.

Also: https://go.dev/ref/mod#pseudo-versions

So we should just check if a version string ends with - & 12 chars. The interesting question is should we remove this from the version string? 🤔

I've got an implementation for this, but am holding off landing it because it actually makes the detector weaker because e.g. for golang.org/x/crypto/ssh the version v0.0.0-20200220183623-1d94cc7ab1c6 can be matched correctly against some vulnerabilities both locally and by the API, but v0.0.0 cannot and the api doesn't support commits well enough yet to resolve the commit (1d94cc7ab1c6) to the correct vulnerabilities either.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@G-Rath