diff --git a/scripts/osv_scan.sh b/scripts/osv_scan.sh index 784b9c8..9d31583 100644 --- a/scripts/osv_scan.sh +++ b/scripts/osv_scan.sh @@ -12,44 +12,31 @@ echo "Running OSV-Scanner recursively..." OSV_JSON="$(mktemp)" trap 'rm -f "$OSV_JSON"' EXIT -osv-scanner --recursive ./ --format json > "$OSV_JSON" +osv-scanner --recursive ./ --format json > "$OSV_JSON" || true -python - <<'PY' -import json, sys -from pathlib import Path +if ! command -v jq >/dev/null 2>&1; then + echo "Error: jq is not installed. Please install jq to parse OSV results." + exit 1 +fi -path = Path("$OSV_JSON") -data = json.loads(path.read_text()) if path.exists() else {} +VULNS=$(jq -r ' + .results[]? | + .source as $src | + .vulns[]? | + select( + (.database_specific.severity // "" | ascii_upcase | test("HIGH|CRITICAL")) or + (.severity[]?.score // "" | tostring | split("/")[0] | tonumber? // 0 | . >= 7.0) + ) | + "\(.id) (source: \($src))" +' "$OSV_JSON") -def is_high_or_critical(vuln): - sev_label = str(vuln.get("database_specific", {}).get("severity", "")).upper() - if sev_label in {"HIGH", "CRITICAL"}: - return True - for sev in vuln.get("severity", []): - score = sev.get("score", "") - try: - val = float(str(score).split("/")[0]) - if val >= 9.0: - return True # treat >=9 as critical - if val >= 7.0: - return True # high - except Exception: - continue - return False - -highs = [] -for res in data.get("results", []): - source = res.get("source", "unknown") - for vuln in res.get("vulns", []): - if is_high_or_critical(vuln): - highs.append((source, vuln.get("id", "unknown"))) - -if highs: - print("OSV scan found HIGH/CRITICAL vulnerabilities:") - for source, vid in highs: - print(f" - {vid} (source: {source})") - sys.exit(1) -else: - print("OSV scan: no HIGH/CRITICAL vulnerabilities found.") -PY +if [ -n "$VULNS" ]; then + echo "OSV scan found HIGH/CRITICAL vulnerabilities:" + echo "$VULNS" | while IFS= read -r line; do + echo " - $line" + done + exit 1 +else + echo "OSV scan: no HIGH/CRITICAL vulnerabilities found." +fi