Quad4-Software/Surveilled
2
0
Fork 0
Code Issues 3 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

rewrite osv_scan to use jq
All checks were successful
CI / build (push) Successful in 32s
Details
OSV-Scanner Scheduled Scan / scan-scheduled (push) Successful in 15s
Details
CI / check (push) Successful in 20s
Details

Browse Source
This commit is contained in:
ivan
2025-12-24 17:22:39 -06:00
parent 0ec99e1e1e
commit 560a22ac5a
1 changed files with 24 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
scripts/osv_scan.sh
View File

@@ -12,44 +12,31 @@ echo "Running OSV-Scanner recursively..."
OSV_JSON="$(mktemp)"
trap 'rm -f "$OSV_JSON"' EXIT
osv-scanner --recursive ./ --format json > "$OSV_JSON"
osv-scanner --recursive ./ --format json > "$OSV_JSON" || true
python - <<'PY'
import json, sys
from pathlib import Path
if ! command -v jq >/dev/null 2>&1; then
echo "Error: jq is not installed. Please install jq to parse OSV results."
exit 1
fi
path = Path("$OSV_JSON")
data = json.loads(path.read_text()) if path.exists() else {}
VULNS=$(jq -r '
.results[]? |
.source as $src |
.vulns[]? |
select(
(.database_specific.severity // "" | ascii_upcase | test("HIGH|CRITICAL")) or
(.severity[]?.score // "" | tostring | split("/")[0] | tonumber? // 0 | . >= 7.0)
) |
"\(.id) (source: \($src))"
' "$OSV_JSON")
def is_high_or_critical(vuln):
sev_label = str(vuln.get("database_specific", {}).get("severity", "")).upper()
if sev_label in {"HIGH", "CRITICAL"}:
return True
for sev in vuln.get("severity", []):
score = sev.get("score", "")
try:
val = float(str(score).split("/")[0])
if val >= 9.0:
return True # treat >=9 as critical
if val >= 7.0:
return True # high
except Exception:
continue
return False
highs = []
for res in data.get("results", []):
source = res.get("source", "unknown")
for vuln in res.get("vulns", []):
if is_high_or_critical(vuln):
highs.append((source, vuln.get("id", "unknown")))
if highs:
print("OSV scan found HIGH/CRITICAL vulnerabilities:")
for source, vid in highs:
print(f" - {vid} (source: {source})")
sys.exit(1)
else:
print("OSV scan: no HIGH/CRITICAL vulnerabilities found.")
PY
if [ -n "$VULNS" ]; then
echo "OSV scan found HIGH/CRITICAL vulnerabilities:"
echo "$VULNS" | while IFS= read -r line; do
echo " - $line"
done
exit 1
else
echo "OSV scan: no HIGH/CRITICAL vulnerabilities found."
fi