Skip to content

Commit fde5857

Browse files
authored
refactor: remove unused "full proposed entry" logic (#39)
This is a bit of a legacy thing from when we were first figuring out how to do the advisory generation, which I've replaced with todo comments to make it easier to iterate on our generation script
1 parent d5c69af commit fde5857

2 files changed

Lines changed: 8 additions & 29 deletions

File tree

scripts/generate_osv_advisories.py

Lines changed: 8 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,6 @@
1818
from typings import drupal, osv
1919

2020
osv_dir_name = 'advisories'
21-
# Not all fields pass the schema test as there are elements that are not yet present in the OSV schema.
22-
full_proposed_entry = False
2321

2422

2523
def fetch_drupal_node(nid: str) -> drupal.Node:
@@ -125,16 +123,6 @@ def event_to_semver_for_sorting(event: osv.Event) -> semver.Version:
125123
return semver.Version.parse(semver_for_sorting(version))
126124

127125

128-
def fake_ecosystem(osv_advisory: osv.Vulnerability) -> osv.Vulnerability:
129-
if not full_proposed_entry:
130-
# Fake the package.ecosystem so a schema validator doesn't complain.
131-
for affected in osv_advisory['affected']:
132-
affected['package']['ecosystem'] = 'Packagist'
133-
# Fake the ID so it passes the schema validation.
134-
osv_advisory['id'] = f'OSV-{osv_advisory["id"]}'
135-
return osv_advisory
136-
137-
138126
def semver_for_sorting(semver: typing.Any) -> str:
139127
decrement_semver = False
140128
if semver == '':
@@ -217,7 +205,7 @@ def build_osv_advisory(
217205

218206
osv_advisory: osv.Vulnerability = {
219207
'schema_version': '1.3.0',
220-
'id': sa_id,
208+
'id': f'OSV-{sa_id}',
221209
'modified': datetime.fromtimestamp(int(sa_advisory['changed'])).strftime(
222210
'%Y-%m-%dT%H:%M:%S.000Z'
223211
),
@@ -230,8 +218,13 @@ def build_osv_advisory(
230218
'details': markdownify(sa_advisory['field_sa_description']['value']),
231219
'affected': [
232220
{
233-
'package': {'ecosystem': 'Drupal', 'name': ''},
234-
'severity': [{'type': 'NIST_CMSS', 'score': ''}],
221+
# todo: figure out if we need a dedicated ecosystem i.e. Drupal, Drupal8, etc
222+
'package': {'ecosystem': 'Packagist', 'name': ''},
223+
# todo: figure out how to map field_sa_criticality to severity
224+
# https://ossf.github.io/osv-schema/#severitytype-field
225+
# https://www.drupal.org/drupal-security-team/security-risk-levels-defined
226+
# https://www.nist.gov/news-events/news/2012/07/software-features-and-inherent-risks-nists-guide-rating-software
227+
'severity': [],
235228
'ranges': build_affected_ranges(sa_advisory),
236229
'database_specific': {
237230
'affected_versions': sa_advisory['field_affected_versions']
@@ -245,21 +238,8 @@ def build_osv_advisory(
245238
drupal.Project, fetch_drupal_node(sa_advisory['field_project']['id'])
246239
)
247240

248-
# TODO: Add the severity to the OSV entry.
249-
# https://ossf.github.io/osv-schema/#severitytype-field
250-
# https://www.drupal.org/drupal-security-team/security-risk-levels-defined
251-
# https://www.nist.gov/news-events/news/2012/07/software-features-and-inherent-risks-nists-guide-rating-software
252-
if full_proposed_entry:
253-
osv_advisory['affected'][0]['severity'][0]['score'] = sa_advisory[
254-
'field_sa_criticality'
255-
]
256-
else:
257-
osv_advisory['affected'][0]['severity'] = []
258-
259241
osv_advisory['affected'][0]['package']['name'] = composer_package(project)
260242

261-
fake_ecosystem(osv_advisory)
262-
263243
return osv_advisory
264244

265245

scripts/typings/osv.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,6 @@ class Range(typing.TypedDict):
9494
'CVSS_V2',
9595
'CVSS_V3',
9696
'CVSS_V4',
97-
'NIST_CMSS', # todo: this is not defined in the spec
9897
]
9998

10099

0 commit comments

Comments
 (0)