def _request_analysis(self, bug, source_repo, repo): """Request analysis.""" if bug.source_of_truth == osv.SourceOfTruth.SOURCE_REPO: self._request_analysis_external(source_repo, repo, osv.source_path(bug)) else: self._request_internal_analysis(bug)
def add_source_info(bug, response): """Add source information to `response`.""" if bug.source_of_truth == osv.SourceOfTruth.INTERNAL: response['source'] = 'INTERNAL' return source_repo = osv.get_source_repository(bug.source) if not source_repo or not source_repo.link: return source_path = osv.source_path(source_repo, bug) response['source'] = source_repo.link + source_path response['source_link'] = response['source']
def _request_analysis(self, bug, source_repo, repo): """Request analysis.""" if bug.source_of_truth == osv.SourceOfTruth.SOURCE_REPO: path = osv.source_path(source_repo, bug) file_path = os.path.join(osv.repo_path(repo), path) if not os.path.exists(file_path): logging.info( 'Skipping analysis for %s as the source file no longer exists.', path) return original_sha256 = osv.sha256(file_path) self._request_analysis_external(source_repo, original_sha256, path) else: self._request_internal_analysis(bug)
def _handle_deleted(self, source_repo, vuln_path): """Handle deleted source.""" vuln_id = os.path.splitext(os.path.basename(vuln_path))[0] bug = osv.Bug.get_by_id(vuln_id) if not bug: logging.error('Failed to find Bug with ID %s', vuln_id) return bug_source_path = osv.source_path(source_repo, bug) if bug_source_path != vuln_path: logging.info( 'Request path %s does not match %s, not marking as invalid.', vuln_path, bug_source_path) return logging.info('Marking %s as invalid.', vuln_id) bug.status = osv.BugStatus.INVALID bug.put()
def import_new_oss_fuzz_entries(self, repo, oss_fuzz_source): """Import new entries.""" exported = [] vulnerabilities_path = os.path.join( osv.repo_path(repo), oss_fuzz_source.directory_path or '') for bug in osv.Bug.query( osv.Bug.source_of_truth == osv.SourceOfTruth.INTERNAL): if bug.status != osv.BugStatus.PROCESSED: continue if not bug.public: continue source_name, _ = osv.parse_source_id(bug.source_id) if source_name != oss_fuzz_source.name: continue vulnerability_path = os.path.join(vulnerabilities_path, osv.source_path(bug)) os.makedirs(os.path.dirname(vulnerability_path), exist_ok=True) if os.path.exists(vulnerability_path): continue logging.info('Writing %s', bug.key.id()) osv.vulnerability_to_yaml(bug.to_vulnerability(), vulnerability_path) # The source of truth is now this yaml file. bug.source_of_truth = osv.SourceOfTruth.SOURCE_REPO exported.append(bug) # Commit Vulnerability changes back to the oss-fuzz source repository. repo.index.add_all() diff = repo.index.diff_to_tree(repo.head.peel().tree) if not diff: logging.info('No new entries, skipping committing.') return logging.info('Commiting and pushing new entries') if osv.push_source_changes(repo, 'Import from OSS-Fuzz', self._git_callbacks(oss_fuzz_source)): ndb.put_multi(exported)