Experimenting with OSV API
153 views
Skip to first unread message
Mehdi Karimi
Jun 3, 2021, 12:57:52 PM6/3/21
to osv-discuss
Hi,
I am testing with OSV. For a OSS that is available in GitHub, how can I make a request?
For example, I want to see vulnerabilities in https://github.com/mbiuki/minicloud
Thanks
Mehdi
Oliver Chang
Jun 4, 2021, 2:34:32 AM6/4/21
to Mehdi Karimi, osv-discuss
Hi Mehdi,
There's two ways to query the API. By a commit hash, or by a package name and version number.
By commit hash:
curl -X POST -d \
'{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
"https://api.osv.dev/v1/query"
'{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
"https://api.osv.dev/v1/query"
(No package name is required).
For version queries, something like:
curl -X POST -d \
'{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"
curl -X POST -d \
'{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
"https://api.osv.dev/v1/query"
The currently supported ecosystems for this are "PyPI", "Go", and "OSS-Fuzz".
--
Oliver
--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/1e286c10-65fd-45e1-9246-cc483a8cc85cn%40googlegroups.com.
Mehdi Karimi
Jun 4, 2021, 5:28:43 PM6/4/21
to osv-discuss
Thanks for your reply.
By "The currently supported ecosystems for this are "PyPI", "Go", and "OSS-Fuzz"." did you mean only packages and libraries that are tested by OSS-Fuzz are available? Additionally index from only PyPi and Go?
If I use the commit hash, is it unique across all these different packages and libs? No need to pass the name?
--
Mehdi
Oliver Chang
Jun 6, 2021, 7:57:34 PM6/6/21
to Mehdi Karimi, osv-discuss
On Sat, 5 Jun 2021 at 07:28, Mehdi Karimi <mbi...@gmail.com> wrote:
Thanks for your reply.By "The currently supported ecosystems for this are "PyPI", "Go", and "OSS-Fuzz"." did you mean only packages and libraries that are tested by OSS-Fuzz are available? Additionally index from only PyPi and Go?
Currently yes, but we are working on adding more ecosystems as well.
If I use the commit hash, is it unique across all these different packages and libs? No need to pass the name?
That's right. commit hashes are unique enough across different repositories.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/5afecedf-4a9f-492d-93f9-da6b75668ef2n%40googlegroups.com.
Mehdi Karimi
Jun 8, 2021, 12:41:35 AM6/8/21
to osv-discuss
Would you know what packages OSS-Fuzz has fuzzed so far? Where can we find a list of those?
Oliver Chang
Jun 8, 2021, 12:44:53 AM6/8/21
to Mehdi Karimi, osv-discuss
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/a315e224-adda-4126-8e48-7f9fbf9f704cn%40googlegroups.com.
Mehdi Karimi
Jun 8, 2021, 1:56:31 PM6/8/21
to osv-discuss
Thanks for sharing the link, Oliver.
--
Mehdi
Reply all
Reply to author
Forward
0 new messages