Limitations of OSV DB API

62 views
Skip to first unread message

Sourabh SP

unread,
Dec 21, 2022, 3:21:10 AM12/21/22
to osv-discuss

Hello All, I am creating this issue to raise a question on the limitations of OSV DB API.

  • For example, GitHub APIs have restrictions on the number of request calls that can be made with a specific User access token in an hour.
  • If there are restrictions, what should the user do to overcome such limits? Whom do you contact regarding this?
  • I observed that https://api.osv.dev/v1/querybatch API call with multiple queries, returns only a list of vulnerabilities, but it does not map the vulnerabilities list to the associated package information. Hence the user would not able to associate the vulnerabilities with the package. Is this something that would be improved?

Please let me know if this is the right forum to post the questions.

Thanks
Sourabh

Sourabh SP

unread,
Dec 21, 2022, 4:27:48 AM12/21/22
to osv-discuss

- I observed that `https://api.osv.dev/v1/querybatch` API call with multiple queries, returns only a list of GitHub advisories, should it not return the complete vulnerability object with CVE, impact, severity and other infos? Are we missing something here?

Please find my curl sample, as you can see below, the result is just a flat list of GitHub advisories
```
curl --location --request POST 'https://api.osv.dev/v1/querybatch' \
--header 'Content-Type: application/json' \
--data-raw '{
   "queries":[
        {
            "version":"2.12.6",
            "package": {
                "name": "com.fasterxml.jackson.core:jackson-databind",
                "ecosystem": "Maven"
            }
        },
        {
            "version": "1.59",
            "package":{
               "name":"org.bouncycastle:bcprov-jdk15on",
               "ecosystem":"Maven"
        }
      }
   ]
}'


Output:
{
    "results": [
        {
            "vulns": [
                {
                    "id": "GHSA-57j2-w4cx-62h2",
                    "modified": "2022-12-14T05:10:13.978383Z"
                },
                {
                    "id": "GHSA-jjjh-jjxp-wpff",
                    "modified": "2022-12-14T05:29:48.906253Z"
                },
                {
                    "id": "GHSA-rgv9-q543-rqg4",
                    "modified": "2022-12-14T05:06:42.513025Z"
                }
            ]
        },
        {
            "vulns": [
                {
                    "id": "GHSA-6xx3-rg99-gc3p",
                    "modified": "2022-12-14T04:57:02.505254Z"
                }
            ]
        }
    ]
}
```


Thanks
Sourabh

Andrew Pollock

unread,
Jan 4, 2023, 10:26:06 PM1/4/23
to Sourabh SP, osv-discuss
For anyone trawling through the archives, this was also filed as https://github.com/google/osv.dev/issues/931 and responded to there.

--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/osv-discuss/1b53c797-1d96-4cca-8dd7-4c46c8ebe1b0n%40googlegroups.com.


--


Andrew Pollock

Security Engineer, Google Open Source Security Team | +61419788191 | apol...@google.com

Google LLC


This email is confidential. If you are not the right addressee, please inform the sender and please erase this email including any attachments.


Reply all
Reply to author
Forward
0 new messages