tools: import a conversion tool to and from VuXML #237
Conversation
khorben
force-pushed
the
khorben/vuxml
branch
from
60797b2 to
b7ea020
Compare
|
Hi @khorben, this is exciting progress. I can review this from the OSV side of things, is there a VuXML SME who can review that side of things? Also, if you look at tools/redhat for inspiration, having some test data to validate behaviour is also helpful. |
|
Hi Andrew, sorry for the late answer. I suppose by SME you meant "Subject Matter Expert", in which case I think FreeBSD's ports-secteam@ (https://wiki.freebsd.org/PortsSecteam) might be the best point of contact. |
khorben
force-pushed
the
khorben/vuxml
branch
3 times, most recently
from
4bd95a4 to
8614a9b
Compare
|
Would you mind addressing the DCO check failure? |
There was a problem hiding this comment.
I'm confused by the UBUNTU-CVE-2025-3454 test files?
I think it'll be a no-op change, but it'd be good to update the schema version in the test OSV records to the current version.
khorben
force-pushed
the
khorben/vuxml
branch
2 times, most recently
from
3e0b468 to
d3c580a
Compare
Thanks for the heads up, I think this should be addressed now. |
I have organised the test data as follows:
|
This is relevant to FreeBSD's ports. Note that: * There is no official ecosystem for FreeBSD ports yet * A few elements of the VuXML DTD are not covered (e.g., \<uscertsa>, \<uscertta>) * Cancelled VuXML events are not represented, for lack of information (withdrawal date...) * Some versions do not match reality and need a correct increment (\<gt>) Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
This is relevant to FreeBSD's ports. Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
XXX this only happens when outputting to the standard output. This is relevant to FreeBSD's ports. Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
This is relevant to FreeBSD's ports. Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
Oh do you mean that you expected test files about FreeBSD? First, IIRC VuXML is distribution-agnostic, and not tied to a specific ecosystem. Likewise, it can be useful to convert VuXML data into OSV for the preparation work mentioned above. However, this still requires the corresponding ecosystem for FreeBSD, and choosing its exact name(s) might still be tricky: there is the base system, to distinguish from the third-party ports, and soon also from the packages for the base system.
I have now updated the schema version in the output to OSV as 1.7.0. |
|
When turning off DTD validation then it works ( |
| if len(args) != 1: | ||
| return usage() | ||
|
|
||
| parser = etree.XMLParser(dtd_validation=True) |
There was a problem hiding this comment.
If this is True then it does not work:
File "/somewhere/osv-schema/tools/vuxml/convert_vuxml.py", line 339, in <module>
sys.exit(main())
^^^^^^
File "/somewhere/osv-schema/tools/vuxml/convert_vuxml.py", line 127, in main
tree = etree.parse(args[0], parser)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "src/lxml/etree.pyx", line 3590, in lxml.etree.parse
File "src/lxml/parser.pxi", line 1958, in lxml.etree._parseDocument
File "src/lxml/parser.pxi", line 1984, in lxml.etree._parseDocumentFromURL
File "src/lxml/parser.pxi", line 1887, in lxml.etree._parseDocFromFile
File "src/lxml/parser.pxi", line 1200, in lxml.etree._BaseParser._parseDocFromFile
File "src/lxml/parser.pxi", line 633, in lxml.etree._ParserContext._handleParseResultDoc
File "src/lxml/parser.pxi", line 743, in lxml.etree._handleParseResult
File "src/lxml/parser.pxi", line 672, in lxml.etree._raiseParseError
File "vuln.xml", line 26
lxml.etree.XMLSyntaxError: failed to load "http:/www.vuxml.org/dtd/vuxml-1/vuxml-11.dtd": Attempt to load network entity, line 26, column 3
|
I would also add purl for packages when ecosystem have package manager it's nice addition to information |
|
When Output directory is issued then (if I understand correctly) naming should something like: |
|
It seems that |
| @@ -0,0 +1,271 @@ | |||
| #!/usr/bin/env python | |||
| # | |||
There was a problem hiding this comment.
Just suggesting to have SPDX-header for license also
There was a problem hiding this comment.
Thank you for the suggestion, I have now added the SPDX headers.
Sponsored by: The FreeBSD Foundation Signed-off-by: Pierre Pronchery <[email protected]>
| @@ -0,0 +1,42 @@ | |||
| { | |||
| "schema_version": "1.7.0", | |||
| "id": "409206f6-25e6-11f0-9360-b42e991fc52e", | |||
There was a problem hiding this comment.
this needs to have a FREEBSD- or some other prefix so it's clear it comes from the FreeBSD database.
Please also define the chosen prefix in https://ossf.github.io/osv-schema/#id-modified-fields
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "FreeBSD:ports", |
There was a problem hiding this comment.
In a separate PR, could you please add a ecosystem definition to https://ossf.github.io/osv-schema/#affectedpackage-field ?
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "SEMVER", |
There was a problem hiding this comment.
nit: does FreeBSD follow strict Semver 2.0 per https://semver.org/ and all its ordering rules?
If not, "ECOSYSTEM" would be the more accurate type.
This is relevant to FreeBSD's ports, and possibly to any other project using the VuXML format in order to track vulnerabilities. (http://vuxml.freebsd.org)
The objective is to help FreeBSD offer security advisories in the OSV format, for ports first but possibly also for base components in the future. The corresponding ecosystem string (most likely
FreeBSD) will be requested in a dedicated pull request.Sponsored by: The FreeBSD Foundation