Class: Brew::Vulns::OsvClient

Inherits:
Object
  • Object
show all
Defined in:
lib/brew/vulns/osv_client.rb

Defined Under Namespace

Classes: ApiError, Error

Constant Summary collapse

API_BASE =
"https://api.osv.dev/v1"
BATCH_SIZE =
1000
OPEN_TIMEOUT =
10
READ_TIMEOUT =
30
MAX_RETRIES =
3
RETRY_DELAY =
1
USER_AGENT =
"brew-vulns/#{Brew::Vulns::VERSION} (+https://github.com/Homebrew/homebrew-brew-vulns)"
MAX_PAGES =
100

Instance Method Summary collapse

Constructor Details

#initialize(force_ipv4: false) ⇒ OsvClient

Returns a new instance of OsvClient.



24
25
26
# File 'lib/brew/vulns/osv_client.rb', line 24

def initialize(force_ipv4: false)
  @force_ipv4 = force_ipv4
end

Instance Method Details

#execute_request(uri, request) ⇒ Object



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# File 'lib/brew/vulns/osv_client.rb', line 92

def execute_request(uri, request)
  attempts = 0
  ipv4_addr = resolve_ipv4(uri.host) if @force_ipv4

  begin
    attempts += 1
    http = Net::HTTP.new(uri.host, uri.port)
    http.use_ssl = uri.scheme == "https"
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
    http.open_timeout = OPEN_TIMEOUT
    http.read_timeout = READ_TIMEOUT
    http.ipaddr = ipv4_addr if ipv4_addr

    response = http.request(request)

    case response
    when Net::HTTPSuccess
      JSON.parse(response.body)
    else
      raise ApiError, "OSV API error: #{response.code} #{response.message}"
    end
  rescue JSON::ParserError => e
    raise ApiError, "Invalid JSON response from OSV API: #{e.message}"
  rescue Net::OpenTimeout, Net::ReadTimeout => e
    if attempts < MAX_RETRIES
      ipv4_addr ||= resolve_ipv4(uri.host) if attempts == MAX_RETRIES - 1
      sleep RETRY_DELAY
      retry
    end
    raise ApiError, "OSV API timeout after #{attempts} attempts: #{e.message}"
  rescue SocketError, Errno::ECONNREFUSED => e
    if attempts < MAX_RETRIES
      ipv4_addr ||= resolve_ipv4(uri.host) if attempts == MAX_RETRIES - 1
      sleep RETRY_DELAY
      retry
    end
    raise ApiError, "OSV API connection error after #{attempts} attempts: #{e.message}"
  rescue OpenSSL::SSL::SSLError => e
    raise ApiError, "OSV API SSL error: #{e.message}"
  end
end

#fetch_all_pages(response, original_payload) ⇒ Object



145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# File 'lib/brew/vulns/osv_client.rb', line 145

def fetch_all_pages(response, original_payload)
  vulns = response["vulns"] || []
  page_token = response["next_page_token"]
  page_count = 1

  while page_token
    if page_count >= MAX_PAGES
      raise ApiError,
            "OSV API returned more than #{MAX_PAGES} pages of results; aborting to avoid an unbounded loop"
    end

    payload = original_payload.merge(page_token: page_token)
    response = post("/query", payload)
    vulns.concat(response["vulns"] || [])
    page_token = response["next_page_token"]
    page_count += 1
  end

  vulns
end

#get(path) ⇒ Object



83
84
85
86
87
88
89
90
# File 'lib/brew/vulns/osv_client.rb', line 83

def get(path)
  uri = URI("#{API_BASE}#{path}")
  request = Net::HTTP::Get.new(uri)
  request["Content-Type"] = "application/json"
  request["User-Agent"] = USER_AGENT

  execute_request(uri, request)
end

#get_vulnerability(vuln_id) ⇒ Object



69
70
71
# File 'lib/brew/vulns/osv_client.rb', line 69

def get_vulnerability(vuln_id)
  get("/vulns/#{URI.encode_uri_component(vuln_id)}")
end

#post(path, payload) ⇒ Object



73
74
75
76
77
78
79
80
81
# File 'lib/brew/vulns/osv_client.rb', line 73

def post(path, payload)
  uri = URI("#{API_BASE}#{path}")
  request = Net::HTTP::Post.new(uri)
  request["Content-Type"] = "application/json"
  request["User-Agent"] = USER_AGENT
  request.body = JSON.generate(payload)

  execute_request(uri, request)
end

#query(repo_url:, version:) ⇒ Object



28
29
30
31
32
33
34
35
36
37
38
39
# File 'lib/brew/vulns/osv_client.rb', line 28

def query(repo_url:, version:)
  payload = {
    package: {
      name: repo_url,
      ecosystem: "GIT"
    },
    version: version
  }

  response = post("/query", payload)
  fetch_all_pages(response, payload)
end

#query_batch(packages) ⇒ Object



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# File 'lib/brew/vulns/osv_client.rb', line 41

def query_batch(packages)
  return [] if packages.empty?

  results = Array.new(packages.size) { [] }

  packages.each_slice(BATCH_SIZE).with_index do |batch, batch_idx|
    queries = batch.map do |pkg|
      {
        package: {
          name: pkg[:repo_url],
          ecosystem: "GIT"
        },
        version: pkg[:version]
      }
    end

    response = post("/querybatch", { queries: queries })
    batch_results = response["results"] || []

    batch_results.each_with_index do |result, idx|
      global_idx = batch_idx * BATCH_SIZE + idx
      results[global_idx] = result["vulns"] || []
    end
  end

  results
end

#resolve_ipv4(host) ⇒ Object

Resolve the first IPv4 address for host, for use with Net::HTTP#ipaddr= to bypass a misbehaving IPv6 path. Returns nil (so the caller falls back to default resolution) if no A record is found or DNS fails.



137
138
139
140
141
# File 'lib/brew/vulns/osv_client.rb', line 137

def resolve_ipv4(host)
  Addrinfo.getaddrinfo(host, nil, Socket::AF_INET, Socket::SOCK_STREAM).first&.ip_address
rescue SocketError
  nil
end