Learn R Programming

rosv

Overview

The {rosv} package is an API client to the Open Source Vulnerability (OSV) database. Both high and low level functions are available to query the database for vulnerabilities in package repositories across various open source ecosystems such as CRAN, Bioconductor, PyPI, and many more. Queries made against the OSV database are useful to check for package vulnerabilities (including by specific versions) enumerated in package management files such as requirements.txt (Python) and renv.lock (R). Checking valid query construction, API response pagination, and parsing content are all handled by {rosv}.

Various helper functions assist in the administration of Posit Package Manager or similar services. Packages can be routinely examined for new vulnerabilities which aide in the creation and updating of curated repositories as well as assigning block lists.

More details about the OSV project and associated API can be found here: https://google.github.io/osv.dev/.

Installation

install.packages('rosv')
library(rosv)

For the latest development version, you can install {rosv} from GitHub:

remotes::install_github('al-obrien/rosv')

Basic usage

The fastest and simplest way to get started with {rosv} is to use the osv_query() function.

  1. Provide a package name and related ecosystem to fetch any identified vulnerabilities.

    osv_query('dask', ecosystem = 'PyPI')

  2. Query multiple packages at the same time and across ecosystems.

    osv_query(c('dask', 'readxl', 'dplyr'),
          ecosystem = c('PyPI', 'CRAN', 'CRAN'))

  3. Return results only for packages provided and not others that may be part of the same vulnerability.

    osv_query('apache-airflow', ecosystem = 'PyPI', all_affected = FALSE)

  4. Download all vulnerabilities listed for an ecosystem.

    osv_query(ecosystem = 'CRAN', all_affected = FALSE)

Development notes

{rosv} leverages {httr2} and {httptest2} for its core API client functionality and uses R6 classes for its low-level interface to the OSV API. There are also plans to have more types of returned details and parsing of content.

Copy Link

Version

Install

install.packages('rosv')

Monthly Downloads

285

Version

0.5.1

License

MIT + file LICENSE

Issues

1

Pull Requests

0

Stars

2

Forks

0

Maintainer

Allen OBrien

Last Published

December 4th, 2023

Functions in rosv (0.5.1)

normalize_pypi_pkg

Normalize package name to PyPI expectation
osv_count_vulns

Count the number of reported vulnerabilities
osv_scan

Use OSV database to scan for vulnerabilities
osv_vulns

Query OSV API for vulnerability information based on ID
rosv-package

rosv: Client to Access and Operate on the 'Open Source Vulnerability' API
create_xref_whitelist

Cross reference a whitelist of packages to a vulnerability database
create_ppm_blacklist

Create blacklist commands for Posit Package Manager
RosvQuery1

R6 Class for OSV Query Endpoint
check_ecosystem

Check input against possible ecosystems available
RosvVulns

R6 Class for OSV Vulns Endpoint
copy_rosv

Copy a {rosv} object
create_osv_list

List packages identified in the OSV database
RosvQueryBatch

R6 Class for OSV Querybatch Endpoint
clear_osv_cache

Reset cached results of OSV calls
RosvDownload

R6 Class for OSV Database Downloads
osv_download

Download vulnerabilities from the OSV database
is_pkg_vulnerable

Detect if package within ecosystem has reported vulnerabilities
fetch_ecosystems

Fetch all available ecosystems
get_content

Retrieve contents field from {rosv} R6 object
osv_query

Query OSV API for individual package vulnerabilities
is_rosv

Is object made from {rosv} R6 class
osv_querybatch

Query OSV API for vulnerabilities given a vector of packages
osv_query_1

Query OSV API for vulnerabilities based upon an individual package