def _request_analysis(self, bug, source_repo, repo):
"""Request analysis."""
if bug.source_of_truth == osv.SourceOfTruth.SOURCE_REPO:
self._request_analysis_external(source_repo, repo,
osv.source_path(bug))
else:
self._request_internal_analysis(bug)
def add_source_info(bug, response):
"""Add source information to `response`."""
if bug.source_of_truth == osv.SourceOfTruth.INTERNAL:
response['source'] = 'INTERNAL'
return
source_repo = osv.get_source_repository(bug.source)
if not source_repo or not source_repo.link:
return
source_path = osv.source_path(source_repo, bug)
response['source'] = source_repo.link + source_path
response['source_link'] = response['source']
def _request_analysis(self, bug, source_repo, repo):
"""Request analysis."""
if bug.source_of_truth == osv.SourceOfTruth.SOURCE_REPO:
path = osv.source_path(source_repo, bug)
file_path = os.path.join(osv.repo_path(repo), path)
if not os.path.exists(file_path):
logging.info(
'Skipping analysis for %s as the source file no longer exists.',
path)
return
original_sha256 = osv.sha256(file_path)
self._request_analysis_external(source_repo, original_sha256, path)
else:
self._request_internal_analysis(bug)
def _handle_deleted(self, source_repo, vuln_path):
"""Handle deleted source."""
vuln_id = os.path.splitext(os.path.basename(vuln_path))[0]
bug = osv.Bug.get_by_id(vuln_id)
if not bug:
logging.error('Failed to find Bug with ID %s', vuln_id)
return
bug_source_path = osv.source_path(source_repo, bug)
if bug_source_path != vuln_path:
logging.info(
'Request path %s does not match %s, not marking as invalid.',
vuln_path, bug_source_path)
return
logging.info('Marking %s as invalid.', vuln_id)
bug.status = osv.BugStatus.INVALID
bug.put()
def import_new_oss_fuzz_entries(self, repo, oss_fuzz_source):
"""Import new entries."""
exported = []
vulnerabilities_path = os.path.join(
osv.repo_path(repo), oss_fuzz_source.directory_path or '')
for bug in osv.Bug.query(
osv.Bug.source_of_truth == osv.SourceOfTruth.INTERNAL):
if bug.status != osv.BugStatus.PROCESSED:
continue
if not bug.public:
continue
source_name, _ = osv.parse_source_id(bug.source_id)
if source_name != oss_fuzz_source.name:
continue
vulnerability_path = os.path.join(vulnerabilities_path,
osv.source_path(bug))
os.makedirs(os.path.dirname(vulnerability_path), exist_ok=True)
if os.path.exists(vulnerability_path):
continue
logging.info('Writing %s', bug.key.id())
osv.vulnerability_to_yaml(bug.to_vulnerability(),
vulnerability_path)
# The source of truth is now this yaml file.
bug.source_of_truth = osv.SourceOfTruth.SOURCE_REPO
exported.append(bug)
# Commit Vulnerability changes back to the oss-fuzz source repository.
repo.index.add_all()
diff = repo.index.diff_to_tree(repo.head.peel().tree)
if not diff:
logging.info('No new entries, skipping committing.')
return
logging.info('Commiting and pushing new entries')
if osv.push_source_changes(repo, 'Import from OSS-Fuzz',
self._git_callbacks(oss_fuzz_source)):
ndb.put_multi(exported)