how to use just this ./vulnfeeds/cmd/combine-to-osv/run_combine_to_osv_convert.sh
60 views
Skip to first unread message
Alex Alexandrov
Sep 27, 2022, 6:40:03 AM9/27/22
to osv-discuss
I need just to get a vulnerabilities database in OSV format, but it requires access to google services
Setup initial directories
Begin syncing with cloud parts
Caught non-retryable exception while listing gs://cve-osv-conversion/parts/: AccessDeniedException: 403 <mail> does not have storage.objects.list access to the Google Cloud Storage bucket.
CommandException: Caught non-retryable exception - aborting rsync
Begin syncing with cloud parts
Caught non-retryable exception while listing gs://cve-osv-conversion/parts/: AccessDeniedException: 403 <mail> does not have storage.objects.list access to the Google Cloud Storage bucket.
CommandException: Caught non-retryable exception - aborting rsync
My own project has storage and the project owner of cause have access, but is it asking for access to a different project?
I'm not really familiar with google services, how can I just run this script?)
Andrew Pollock
Sep 27, 2022, 6:56:18 PM9/27/22
to Alex Alexandrov, osv-discuss
Hi Alex,
That script in its current form has a GCS bucket hard-coded in it that you won't have read or write access to.
I'll make it more supportive of supplying a BYO GCS bucket so your use case is more readily available. In the short term, you can replace the references to gs://cve-osv-conversion on lines 21 and 31 with your own GCS bucket and this should unblock you.
Let me know how that goes for you.
regards
Andrew
--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/72779dd5-cc57-410c-b0cc-6c1568d1c7b3n%40googlegroups.com.
This email is confidential. If you are not the right addressee, please inform the sender and please erase this email including any attachments.
Andrew Pollock
Sep 27, 2022, 7:38:19 PM9/27/22
to Alex Alexandrov, osv-discuss
I've filed https://github.com/google/osv.dev/issues/749 to track this.
Rex
Sep 27, 2022, 9:02:51 PM9/27/22
to osv-discuss
Hello Alex,
Can you provide us some more information about your goal? The run_combine_to_osv_convert.sh script is quite specific/narrow in it's use case. It's main goal is to upload and download from google cloud buckets to feed into osv.dev.
- If you are looking for all the already converted OSV formatted vulnerabilities, then they are available here: gs://osv-vulnerabilities.
- If you are looking to convert all NVD CVE entries into the OSV format, we currently don't have that functionality at the moment, but it is something we are in the process of adding similar functionality to OSV (see https://github.com/google/osv.dev/pull/738 for an early draft)
- And if you already have affected package and vulnerability information extracted, and all you want is to combine it with CVE information into the OSV format, then combine-to-osv is what you are looking for. If that is the case, you can try running `go run ./cmd/combine-to-osv` directly with the necessary parameters. combine-to-osv is currently mostly for internal use to populate osv.dev, so it lacks proper documentation. I have created an issue to track this here: https://github.com/google/osv.dev/issues/751
Do let us know if none of the above is what you are trying to do, and if we can help.
- If you are looking for all the already converted OSV formatted vulnerabilities, then they are available here: gs://osv-vulnerabilities.
- If you are looking to convert all NVD CVE entries into the OSV format, we currently don't have that functionality at the moment, but it is something we are in the process of adding similar functionality to OSV (see https://github.com/google/osv.dev/pull/738 for an early draft)
- And if you already have affected package and vulnerability information extracted, and all you want is to combine it with CVE information into the OSV format, then combine-to-osv is what you are looking for. If that is the case, you can try running `go run ./cmd/combine-to-osv` directly with the necessary parameters. combine-to-osv is currently mostly for internal use to populate osv.dev, so it lacks proper documentation. I have created an issue to track this here: https://github.com/google/osv.dev/issues/751
Do let us know if none of the above is what you are trying to do, and if we can help.
Cheers
Rex
Reply all
Reply to author
Forward
0 new messages