1818from typings import drupal , osv
1919
2020osv_dir_name = 'advisories'
21- # Not all fields pass the schema test as there are elements that are not yet present in the OSV schema.
22- full_proposed_entry = False
2321
2422
2523def fetch_drupal_node (nid : str ) -> drupal .Node :
@@ -125,16 +123,6 @@ def event_to_semver_for_sorting(event: osv.Event) -> semver.Version:
125123 return semver .Version .parse (semver_for_sorting (version ))
126124
127125
128- def fake_ecosystem (osv_advisory : osv .Vulnerability ) -> osv .Vulnerability :
129- if not full_proposed_entry :
130- # Fake the package.ecosystem so a schema validator doesn't complain.
131- for affected in osv_advisory ['affected' ]:
132- affected ['package' ]['ecosystem' ] = 'Packagist'
133- # Fake the ID so it passes the schema validation.
134- osv_advisory ['id' ] = f'OSV-{ osv_advisory ["id" ]} '
135- return osv_advisory
136-
137-
138126def semver_for_sorting (semver : typing .Any ) -> str :
139127 decrement_semver = False
140128 if semver == '' :
@@ -217,7 +205,7 @@ def build_osv_advisory(
217205
218206 osv_advisory : osv .Vulnerability = {
219207 'schema_version' : '1.3.0' ,
220- 'id' : sa_id ,
208+ 'id' : f'OSV- { sa_id } ' ,
221209 'modified' : datetime .fromtimestamp (int (sa_advisory ['changed' ])).strftime (
222210 '%Y-%m-%dT%H:%M:%S.000Z'
223211 ),
@@ -230,8 +218,13 @@ def build_osv_advisory(
230218 'details' : markdownify (sa_advisory ['field_sa_description' ]['value' ]),
231219 'affected' : [
232220 {
233- 'package' : {'ecosystem' : 'Drupal' , 'name' : '' },
234- 'severity' : [{'type' : 'NIST_CMSS' , 'score' : '' }],
221+ # todo: figure out if we need a dedicated ecosystem i.e. Drupal, Drupal8, etc
222+ 'package' : {'ecosystem' : 'Packagist' , 'name' : '' },
223+ # todo: figure out how to map field_sa_criticality to severity
224+ # https://ossf.github.io/osv-schema/#severitytype-field
225+ # https://www.drupal.org/drupal-security-team/security-risk-levels-defined
226+ # https://www.nist.gov/news-events/news/2012/07/software-features-and-inherent-risks-nists-guide-rating-software
227+ 'severity' : [],
235228 'ranges' : build_affected_ranges (sa_advisory ),
236229 'database_specific' : {
237230 'affected_versions' : sa_advisory ['field_affected_versions' ]
@@ -245,21 +238,8 @@ def build_osv_advisory(
245238 drupal .Project , fetch_drupal_node (sa_advisory ['field_project' ]['id' ])
246239 )
247240
248- # TODO: Add the severity to the OSV entry.
249- # https://ossf.github.io/osv-schema/#severitytype-field
250- # https://www.drupal.org/drupal-security-team/security-risk-levels-defined
251- # https://www.nist.gov/news-events/news/2012/07/software-features-and-inherent-risks-nists-guide-rating-software
252- if full_proposed_entry :
253- osv_advisory ['affected' ][0 ]['severity' ][0 ]['score' ] = sa_advisory [
254- 'field_sa_criticality'
255- ]
256- else :
257- osv_advisory ['affected' ][0 ]['severity' ] = []
258-
259241 osv_advisory ['affected' ][0 ]['package' ]['name' ] = composer_package (project )
260242
261- fake_ecosystem (osv_advisory )
262-
263243 return osv_advisory
264244
265245
0 commit comments