Experimenting with OSV API

153 views
Skip to first unread message

Mehdi Karimi

unread,
Jun 3, 2021, 12:57:52 PM6/3/21
to osv-discuss
Hi,

I am testing with OSV. For a OSS that is available in GitHub, how can I make a request?
For example, I want to see vulnerabilities in https://github.com/mbiuki/minicloud

Thanks

Mehdi

Oliver Chang

unread,
Jun 4, 2021, 2:34:32 AM6/4/21
to Mehdi Karimi, osv-discuss
Hi Mehdi,

There's two ways to query the API. By a commit hash, or by a package name and version number.

By commit hash:

      curl -X POST -d \
          '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
          "https://api.osv.dev/v1/query"

(No package name is required). 

For version queries, something like:
   
      curl -X POST -d \
          '{"version": "2.4.1", "package": {"name": "jinja2", "ecosystem": "PyPI"}}' \
          "https://api.osv.dev/v1/query"

The currently supported ecosystems for this are "PyPI", "Go", and "OSS-Fuzz". 


--
Oliver


--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/1e286c10-65fd-45e1-9246-cc483a8cc85cn%40googlegroups.com.

Mehdi Karimi

unread,
Jun 4, 2021, 5:28:43 PM6/4/21
to osv-discuss
Thanks for your reply.
By "The currently supported ecosystems for this are "PyPI", "Go", and "OSS-Fuzz"." did you mean only packages and libraries that are tested by OSS-Fuzz are available? Additionally index from only PyPi and Go?

If I use the commit hash, is it unique across all these different packages and libs? No need to pass the name?

--
Mehdi

Oliver Chang

unread,
Jun 6, 2021, 7:57:34 PM6/6/21
to Mehdi Karimi, osv-discuss
On Sat, 5 Jun 2021 at 07:28, Mehdi Karimi <mbi...@gmail.com> wrote:
Thanks for your reply.
By "The currently supported ecosystems for this are "PyPI", "Go", and "OSS-Fuzz"." did you mean only packages and libraries that are tested by OSS-Fuzz are available? Additionally index from only PyPi and Go?

Currently yes, but we are working on adding more ecosystems as well.
 

If I use the commit hash, is it unique across all these different packages and libs? No need to pass the name?

That's right. commit hashes are unique enough across different repositories.  

Mehdi Karimi

unread,
Jun 8, 2021, 12:41:35 AM6/8/21
to osv-discuss
Would you know what packages OSS-Fuzz has fuzzed so far? Where can we find a list of those?

Oliver Chang

unread,
Jun 8, 2021, 12:44:53 AM6/8/21
to Mehdi Karimi, osv-discuss

Mehdi Karimi

unread,
Jun 8, 2021, 1:56:31 PM6/8/21
to osv-discuss
Thanks for sharing the link, Oliver.

Additionally, how many of these reporting vulnerabilities are vetted? i.e., confirmed to be a real issue, not benign nor a false positive.
--
Mehdi
Reply all
Reply to author
Forward
0 new messages