osv vendor vulnerability scanning

Author: kikofernandez

.github/scripts/otp-compliance.es

@@ -216,7 +216,18 @@ cli() ->
                                      > .github/scripts/otp-compliance.es sbom vendor --sbom-file otp.spdx.json
                                      """,
                                  arguments => [ sbom_option()],
-                                 handler => fun sbom_vendor/1}
+                                 handler => fun sbom_vendor/1},
+
+                          "osv-scan" =>
+                              #{ help =>
+                                     """
+                                     Performs vulnerability scanning on vendor libraries
+
+                                     Example:
+
+                                     > .github/scripts/otp-compliance.es sbom osv-scan
+                                     """,
+                                 handler => fun osv_scan/1}
                          }},
              "explore" =>
                  #{  help => """
@@ -1205,6 +1216,68 @@ generate_vendor_purl(Package) ->
             [create_externalRef_purl(Description, <<Purl/binary, "@", Vsn/binary>>)]
     end.
 
+osv_scan(_) ->
+    application:ensure_all_started([ssl, inets]),
+    URI = "https://api.osv.dev/v1/querybatch",
+    Format = "application/x-www-form-urlencoded",
+
+    VendorSrcFiles = find_vendor_src_files("."),
+    Packages = generate_vendor_info_package(VendorSrcFiles),
+
+    OSVQuery = generate_osv_query(Packages),
+    io:format("[OSV] Information sent~n~s~n", [json:format(OSVQuery)]),
+    OSV = json:encode(OSVQuery),
+
+    Content = {URI, [], Format, OSV},
+    Result = httpc:request(post, Content, [], []),
+    case Result of
+        {ok,{{_, 200,_}, _Headers, Body}} ->
+            #{~"results" := OSVResults} = json:decode(erlang:list_to_binary(Body)),
+            Vulnerabilities = lists:filter(fun (#{~"vulns" := _Ids}) -> true; (_) -> false end, OSVResults),
+            case Vulnerabilities of
+                [] ->
+                    io:format("[OSV] No vulnerabilities found.~n");
+                _ ->
+                    FormatVulns = format_vulnerabilities(OSVQuery, OSVResults),
+                    fail("[OSV] There are existing vulnerabilities:~n~s", [FormatVulns])
+            end;
+        {error, Error} ->
+            fail("[OSV] POST request to ~p errors: ~p", [URI, Error])
+    end.
+
+format_vulnerabilities(OSVQuery, OSVResults) ->
+    NameVulnerabilities = lists:zip(osv_names(OSVQuery), OSVResults),
+    ExistingVulnerabilities = lists:filtermap(fun ({Name, #{~"vulns" := Ids}}) ->
+                                                      {true, {Name, [Id || #{~"id" := Id} <- Ids]}};
+                                                  (_) ->
+                                                      false
+                                              end, NameVulnerabilities),
+    lists:map(fun ({N, Ids}) ->
+                      io_lib:format("- ~s: ~s~n", [N, lists:join(",", Ids)])
+              end, ExistingVulnerabilities).
+
+osv_names(#{~"queries" := Packages}) ->
+    lists:map(fun osv_names/1, Packages);
+osv_names(#{~"package" := #{~"name" := Name }}) ->
+    Name.
+
+generate_osv_query(Packages) ->
+    #{~"queries" => lists:foldl(fun generate_osv_query/2, [], Packages)}.
+generate_osv_query(#{~"versionInfo" := Vsn, ~"ecosystem" := Ecosystem, ~"name" := Name}, Acc) ->
+    Package = #{~"package" => #{~"name" => Name, ~"ecosystem" => Ecosystem}, ~"version" => Vsn},
+    [Package | Acc];
+generate_osv_query(#{~"sha" := SHA, ~"downloadLocation" := Location}, Acc) ->
+    case string:prefix(Location, ~"https://") of
+        nomatch ->
+            Acc;
+        URI ->
+            Package = #{~"package" => #{~"name" => URI}, ~"commit" => SHA},
+            [Package | Acc]
+    end;
+generate_osv_query(_, Acc) ->
+    Acc.
+
+
 cleanup_path(<<"./", Path/binary>>) when is_binary(Path) -> Path;
 cleanup_path(Path) when is_binary(Path) -> Path.
 

.github/workflows/main.yaml

@@ -864,11 +864,6 @@ jobs:
         with:
             BASE_BRANCH: ${{ env.BASE_BRANCH }}
 
-      - name: Download SBoM
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # ratchet:actions/[email protected]
-        with:
-            name: ort-results-otp-${{ env.OTP_SBOM_VERSION }}
-
       - name: Generate Vendor SBOM
         run: |
           docker run -v $PWD/:/github -v $HOME:$HOME otp \
@@ -881,17 +876,10 @@ jobs:
         uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # ratchet:advanced-security/[email protected]
 
       # check that PRs do not introduce vulnerabilities in vendor dependencies
-      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 #ratchet:actions/dependency-review-action@v4
-        with:
-          vulnerability-check: true
-          fail-on-severity: low        # fail if there are dependency issues with low severity impact.
-          license-check: false         # skip, we have our license process
-          comment-summary-in-pr: never # displays summary as a comment. we could test with 'on-failure'
-          warn-only: false             # do not warn only (fail instead)
-          show-openssf-scorecard: true # applied to dependencies changed in this PR, not to OTP
-          warn-on-openssf-scorecard-level: 3 # scorecard level in which a dependency is considered problematic
-
+      - name: 'Vendor Vulnerability Scanning'
+        run: |
+          docker run -v $PWD/:/github -v $HOME:$HOME otp \
+            "/github/.github/scripts/otp-compliance.es sbom osv-scan"
 
   ## If this is an "OTP-*" tag that has been pushed we do some release work
   release:

HOWTO/SBOM.md

@@ -183,6 +183,7 @@ This file may be a list of JSON objects. For simplicity, we document the fields
     "licenseDeclared": "Zlib",
     "name": "asmjit",
     "versionInfo": "a465fe71ab3d0e224b2b4bd0fac69ae68ab9239d",
+    "sha": "a465fe71ab3d0e224b2b4bd0fac69ae68ab9239d",
     "path": "./erts/emulator/asmjit",
     "supplier": "Person: Petr Kobalicek",
     "purl": "pkg:github/asmjit/asmjit"
@@ -204,6 +205,9 @@ Fields summary:
 - `licenseDeclared`: license as declared by the vendor, following a [SPDX license identifier](https://spdx.org/licenses/).
 - `name`: name of the library.
 - `versionInfo`: version of the library/project/3pp. In case of no version number being available, write the commit sha.
+- `sha`: sha commit for `versionInfo`, they need to be updated together!
+- `ecosystem`: List of valid ecosystems in [OSV Ecosystems](https://ossf.github.io/osv-schema/#defined-ecosystems)
+  where this value is omitted for C/C++ code (e.g., `asmjit`, `pcre2`, `zlib`, `zstd`, etc), and used in `vendor.json` for `jquery`.
 - `path`: path to the vendor library inside Erlang/OTP. This can point to a folder or a list of files.
   - Folder: any file inside the folder is considered part of the vendor library (e.g., asmjit [vendor.info](../erts/emulator/asmjit/vendor.info)).
   - List of files: only the files listed here are part of a vendor library (e.g., erts-config [vendor.info](../erts/autoconf/vendor.info)).

erts/emulator/asmjit/vendor.info

@@ -15,6 +15,7 @@
     "licenseDeclared": "Zlib",
     "name": "asmjit",
     "versionInfo": "a465fe71ab3d0e224b2b4bd0fac69ae68ab9239d",
+    "sha": "a465fe71ab3d0e224b2b4bd0fac69ae68ab9239d",
     "path": "./erts/emulator/asmjit",
     "supplier": "Person: Petr Kobalicek",
     "purl": "pkg:github/asmjit/asmjit"

erts/emulator/openssl/vendor.info

@@ -15,6 +15,7 @@
     "licenseDeclared": "Apache-2.0",
     "name": "openssl",
     "versionInfo": "3.5",
+    "sha": "636dfadc70ce26f2473870570bfd9ec352806b1d",
     "path": "./erts/emulator/openssl",
     "supplier": "Organization: OpenSSL Mission",
     "purl": "pkg:generic/openssl"

erts/emulator/pcre/vendor.info

@@ -10,12 +10,13 @@
     "ID": "erts-pcre",
     "description": "PCRE2 library",
     "copyrightText": "NOASSERTION",
-    "downloadLocation": "git+https://github.com/PCRE2Project/pcre2.git",
+    "downloadLocation": "https://github.com/PCRE2Project/pcre2",
     "homepage": "https://pcre2project.github.io/pcre2/",
     "licenseDeclared": "BSD-3-Clause",
     "name": "pcre2",
-    "versionInfo": "10.44",
+    "versionInfo": "10.45",
     "path": "./erts/emulator/pcre",
+    "sha": "2dce7761b1831fd3f82a9c2bd5476259d945da4d",
     "supplier": "Person: Philip Hazel",
     "purl": "pkg:generic/pcre2"
   }

erts/emulator/zlib/vendor.info

@@ -10,13 +10,14 @@
     "ID": "erts-zlib",
     "description": "interface of the 'zlib' general purpose compression library",
     "copyrightText": "Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler",
-    "downloadLocation": "https://zlib.net/",
+    "downloadLocation": "https://github.com/madler/zlib",
     "homepage": "https://zlib.net/",
     "licenseDeclared": "Zlib",
     "name": "zlib",
     "versionInfo": "1.3.1",
+    "sha": "51b7f2abdade71cd9bb0e7a373ef2610ec6f9daf",
     "path": "./erts/emulator/zlib",
     "supplier": "Person: Mark Adler ([email protected])",
-    "purl": "pkg:generic/zlib"
+    "purl": "pkg:github/madler/zlib"
   }
 ]

erts/emulator/zstd/vendor.info

@@ -16,6 +16,7 @@
     "licenseDeclared": "BSD-3-Clause OR GPL-2.0-only",
     "name": "zstd",
     "versionInfo": "v1.5.7",
+    "sha": "f8745da6ff1ad1e7bab384bd1f9d742439278e99",
     "path": "./erts/emulator/zstd",
     "supplier": "Organization: Meta",
     "purl": "pkg:github/facebook/zstd",

lib/common_test/priv/vendor.info

@@ -13,6 +13,7 @@
       "downloadLocation": "https://github.com/jquery/jquery",
       "homepage": "https://jquery.com",
       "licenseDeclared": "MIT",
+      "ecosystem": "npm",
       "name": "jquery",
       "versionInfo": "3.7.1",
       "path": ["./lib/common_test/priv/jquery-latest.js"],
@@ -26,7 +27,8 @@
       "downloadLocation": "https://github.com/Mottie/tablesorter",
       "homepage": "https://github.com/Mottie/tablesorter",
       "licenseDeclared": "BSD-3-Clause OR GPL-2.0-only",
-      "name": "jquery-tablesorter",
+      "ecosystem": "npm",
+      "name": "tablesorter",
       "versionInfo": "2.32",
       "path": ["./lib/common_test/priv/jquery.tablesorter.min.js"],
       "supplier": "Person: Christian Bach",

lib/erl_interface/src/openssl/vendor.info

@@ -15,6 +15,7 @@
     "licenseDeclared": "Apache-2.0",
     "name": "openssl",
     "versionInfo": "3.5",
+    "sha": "636dfadc70ce26f2473870570bfd9ec352806b1d",
     "path": "./lib/erl_interface/src/openssl",
     "supplier": "Organization: OpenSSL Mission",
     "purl": "pkg:generic/openssl"

lib/wx/vendor.info

@@ -14,9 +14,10 @@
     "homepage": "https://github.com/wxWidgets/wxWidgets",
     "licenseDeclared": "LicenseRef-scancode-wxwindows-free-doc-3",
     "name": "wx",
-    "versionInfo": "dc585039bbd426829e3433002023a93f9bedd0c2",
+    "versionInfo": "f2918a9ac823074901ce27de939baa57788beb3d",
+    "sha": "f2918a9ac823074901ce27de939baa57788beb3d",
     "path": "./lib/wx",
-    "comments": "This only applies to the source code of Erlang files in 'src', and specifically to the documentation embedded in them",
+    "comments": "This only applies to the source code of Erlang files in 'src', and specifically to the documentation embedded in them.",
     "supplier": "NOASSERTION",
     "purl": "pkg:github/wxwidgets/wxwidgets"
   }