#!/usr/bin/env python3 # Script to convert CVEs as published for Apache projects # from CVE JSON 5.0 format to OSV format. import json import sys # TODO get from arg cve = json.load(open(sys.argv[1])) def mavenPackage(groupId, artifactId): return { 'ecosystem': 'Maven', 'name': f"{groupId}:{artifactId}", 'purl': f"pkg:maven/{groupId}/{artifactId}" } def package(product): if product == 'Apache Commons IO': return mavenPackage('org.apache.commons', 'commons-io') else: # https://github.com/ossf/osv-schema/issues/94 return None def range(versions): if versions['status'] != 'affected': raise "TODO support for explicitly 'unaffected' ranges" if 'lessThan' in versions: events = [{ 'introduced': versions['version'] },{ 'fixed': versions['lessThan'] }] else: events = [{ 'introduced': versions['version'] },{ 'last_affected': versions['version'] }] return { 'type': 'SEMVER', 'events': events } def convert_affected(affected): result = {} p = package(affected['product']) if p: result['package'] = p result['ranges'] = list(map(range, affected['versions'])) # TODO severity return result def reference(reference): url = reference['url'] if 'jira' in url: t = 'REPORT' elif 'x_refsource_CONFIRM' in reference['tags']: t = 'ADVISORY' else: t = 'WEB' return { 'type': t, 'url': reference['url'] } cna = cve['containers']['cna'] osv = { 'schema_version': '1.6.1', 'id': cve['cveMetadata']['cveId'], 'summary': cna['title'], 'details': cna['descriptions'][0]['value'], # TODO 'severity' 'affected': list(map(convert_affected, cna['affected'])), 'references': list(map(reference, cna['references'])) # TODO 'credits' } with open(sys.argv[2], 'w', encoding='utf-8') as f: json.dump(osv, f, ensure_ascii=False)