Class: Brew::Vulns::OsvClient
- Inherits:
-
Object
- Object
- Brew::Vulns::OsvClient
- Defined in:
- lib/brew/vulns/osv_client.rb
Defined Under Namespace
Constant Summary collapse
- API_BASE =
"https://api.osv.dev/v1"- BATCH_SIZE =
1000- OPEN_TIMEOUT =
10- READ_TIMEOUT =
30- MAX_RETRIES =
3- RETRY_DELAY =
1- USER_AGENT =
"brew-vulns/#{Brew::Vulns::VERSION} (+https://github.com/Homebrew/homebrew-brew-vulns)"- MAX_PAGES =
100
Instance Method Summary collapse
- #execute_request(uri, request) ⇒ Object
- #fetch_all_pages(response, original_payload) ⇒ Object
- #get(path) ⇒ Object
- #get_vulnerability(vuln_id) ⇒ Object
-
#initialize(force_ipv4: false) ⇒ OsvClient
constructor
A new instance of OsvClient.
- #post(path, payload) ⇒ Object
- #query(repo_url:, version:) ⇒ Object
- #query_batch(packages) ⇒ Object
-
#resolve_ipv4(host) ⇒ Object
Resolve the first IPv4 address for
host, for use with Net::HTTP#ipaddr= to bypass a misbehaving IPv6 path.
Constructor Details
#initialize(force_ipv4: false) ⇒ OsvClient
Returns a new instance of OsvClient.
24 25 26 |
# File 'lib/brew/vulns/osv_client.rb', line 24 def initialize(force_ipv4: false) @force_ipv4 = force_ipv4 end |
Instance Method Details
#execute_request(uri, request) ⇒ Object
92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 |
# File 'lib/brew/vulns/osv_client.rb', line 92 def execute_request(uri, request) attempts = 0 ipv4_addr = resolve_ipv4(uri.host) if @force_ipv4 begin attempts += 1 http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = uri.scheme == "https" http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.open_timeout = OPEN_TIMEOUT http.read_timeout = READ_TIMEOUT http.ipaddr = ipv4_addr if ipv4_addr response = http.request(request) case response when Net::HTTPSuccess JSON.parse(response.body) else raise ApiError, "OSV API error: #{response.code} #{response.}" end rescue JSON::ParserError => e raise ApiError, "Invalid JSON response from OSV API: #{e.}" rescue Net::OpenTimeout, Net::ReadTimeout => e if attempts < MAX_RETRIES ipv4_addr ||= resolve_ipv4(uri.host) if attempts == MAX_RETRIES - 1 sleep RETRY_DELAY retry end raise ApiError, "OSV API timeout after #{attempts} attempts: #{e.}" rescue SocketError, Errno::ECONNREFUSED => e if attempts < MAX_RETRIES ipv4_addr ||= resolve_ipv4(uri.host) if attempts == MAX_RETRIES - 1 sleep RETRY_DELAY retry end raise ApiError, "OSV API connection error after #{attempts} attempts: #{e.}" rescue OpenSSL::SSL::SSLError => e raise ApiError, "OSV API SSL error: #{e.}" end end |
#fetch_all_pages(response, original_payload) ⇒ Object
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
# File 'lib/brew/vulns/osv_client.rb', line 145 def fetch_all_pages(response, original_payload) vulns = response["vulns"] || [] page_token = response["next_page_token"] page_count = 1 while page_token if page_count >= MAX_PAGES raise ApiError, "OSV API returned more than #{MAX_PAGES} pages of results; aborting to avoid an unbounded loop" end payload = original_payload.merge(page_token: page_token) response = post("/query", payload) vulns.concat(response["vulns"] || []) page_token = response["next_page_token"] page_count += 1 end vulns end |
#get(path) ⇒ Object
83 84 85 86 87 88 89 90 |
# File 'lib/brew/vulns/osv_client.rb', line 83 def get(path) uri = URI("#{API_BASE}#{path}") request = Net::HTTP::Get.new(uri) request["Content-Type"] = "application/json" request["User-Agent"] = USER_AGENT execute_request(uri, request) end |
#get_vulnerability(vuln_id) ⇒ Object
69 70 71 |
# File 'lib/brew/vulns/osv_client.rb', line 69 def get_vulnerability(vuln_id) get("/vulns/#{URI.encode_uri_component(vuln_id)}") end |
#post(path, payload) ⇒ Object
73 74 75 76 77 78 79 80 81 |
# File 'lib/brew/vulns/osv_client.rb', line 73 def post(path, payload) uri = URI("#{API_BASE}#{path}") request = Net::HTTP::Post.new(uri) request["Content-Type"] = "application/json" request["User-Agent"] = USER_AGENT request.body = JSON.generate(payload) execute_request(uri, request) end |
#query(repo_url:, version:) ⇒ Object
28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/brew/vulns/osv_client.rb', line 28 def query(repo_url:, version:) payload = { package: { name: repo_url, ecosystem: "GIT" }, version: version } response = post("/query", payload) fetch_all_pages(response, payload) end |
#query_batch(packages) ⇒ Object
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
# File 'lib/brew/vulns/osv_client.rb', line 41 def query_batch(packages) return [] if packages.empty? results = Array.new(packages.size) { [] } packages.each_slice(BATCH_SIZE).with_index do |batch, batch_idx| queries = batch.map do |pkg| { package: { name: pkg[:repo_url], ecosystem: "GIT" }, version: pkg[:version] } end response = post("/querybatch", { queries: queries }) batch_results = response["results"] || [] batch_results.each_with_index do |result, idx| global_idx = batch_idx * BATCH_SIZE + idx results[global_idx] = result["vulns"] || [] end end results end |
#resolve_ipv4(host) ⇒ Object
Resolve the first IPv4 address for host, for use with Net::HTTP#ipaddr=
to bypass a misbehaving IPv6 path. Returns nil (so the caller falls back
to default resolution) if no A record is found or DNS fails.
137 138 139 140 141 |
# File 'lib/brew/vulns/osv_client.rb', line 137 def resolve_ipv4(host) Addrinfo.getaddrinfo(host, nil, Socket::AF_INET, Socket::SOCK_STREAM).first&.ip_address rescue SocketError nil end |