Open thepwagner opened 2 weeks ago
best effort semver
This might look similar to https://github.com/google/osv.dev/blob/46c25dafc776d429ac46cb112fb1dffb98b9cc90/osv/ecosystems/rubygems.py#L33
fwiw I asked GitHub about this a while ago when I was looking to support GHA in my CLI and the scanner (which I'll get back to one day 😅), and they said they expect them to be semver on their end
@thepwagner feel free to send a PR to s/OrderingUnsupportedEcosystem/SemverEcosystem/
for this ecosystem.
I think the challenges we may then run into will be:
ECOSYSTEM
not SEMVER
(but if they get changed, that might make the first challenge less of a barrier)
Is your feature request related to a problem? Please describe.
There are 16 entries for
ecosystem: GitHub Actions
currently in the database, https://osv.dev/list?ecosystem=GitHub+Actions&q=All entries provide semver-compatible entries
``` $ for vuln in GHSA-7f32-hm4h-w77q GHSA-ghm2-rq8q-wrhc GHSA-mcph-m25j-8j63 GHSA-99jg-r3f4-rpxj GHSA-8v8w-v8xg-79rf GHSA-hw6r-g8gj-2987 GHSA-h3qr-39j9-4r5v GHSA-rg3q-prf8-qxmp GHSA-6q4m-7476-932w GHSA-p756-rfxh-x63h GHSA-2c6m-6gqh-6qg3 GHSA-f9qj-7gh3-mhj4 GHSA-4xqx-pqpj-9fqw GHSA-634p-93h9-92vh GHSA-g86g-chm8-7r2p GHSA-4mgv-m5cm-f9h7; do curl -s "https://api.osv.dev/v1/vulns/$vuln" | jq -c '.affected[0].ranges'; done [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"41"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.7"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.2"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0"},{"fixed":"4.4.1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"2.294.0"},{"fixed":"2.296.2"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.5"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.0.19"}]}] [{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.0"}]}] ```
I know https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q exists. I know https://github.com/rlespinasse/github-slug-action/releases/tag/1.0.0 exists, and is affected by the vulnerability. But I can't query to match the two:
$ curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "version":"1.0.0"}' https://api.osv.dev/v1/query
Describe the solution you'd like
Treat the
GitHub Actions
ecosystem as (best effort?) SemVer: https://github.com/google/osv.dev/blob/46c25dafc776d429ac46cb112fb1dffb98b9cc90/osv/ecosystems/_ecosystems.py#L51Describe alternatives you've considered
Querying by the commit referenced by the
1.0.0
tag:curl -sd '{"package": {"ecosystem":"GitHub Actions", "name":"rlespinasse/github-slug-action"}, "commit":"9671420482a6e4c59c06f2d2d9e0605e941b1287"}' https://api.osv.dev/v1/query
This returns https://osv.dev/vulnerability/GHSA-6q4m-7476-932w - which I don't think impacts1.0.0
, and does not return https://osv.dev/vulnerability/GHSA-7f32-hm4h-w77q, which I think does.I mostly don't understand the implications of this change. Actions may be referred to commit, tag (i.e. where semver would appear) or branch.
Additional context
The official versioning scheme for Actions is here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses Semver is implied/encouraged, but not enforced.