ossf · andrewpollock · Sep 13, 2024 · Sep 12, 2024
diff --git a/tools/__init__.py b/tools/__init__.py
diff --git a/tools/redhat/.gitignore b/tools/redhat/.gitignore
@@ -0,0 +1 @@
+redhat_osv.egg-info/
diff --git a/tools/redhat/Pipfile b/tools/redhat/Pipfile
@@ -3,10 +3,11 @@ url = "https://pypi.python.org/simple"
 verify_ssl = true
 name = "pypi"
 
-[packages]
-jsonschema = "*"
-requests = "*"
-
 [dev-packages]
+setuptools = "*"
 pylint = "*"
-yapf = "*"
+yapf = "*"
+redhat_osv = {path = "."}
+
+[packages]
+redhat_osv = {editable = true, path = "."}
diff --git a/tools/redhat/Pipfile.lock b/tools/redhat/Pipfile.lock
diff --git a/tools/redhat/README.md b/tools/redhat/README.md
@@ -2,22 +2,32 @@
 
 ## Setup
 
+This tool is installable via Pip using a git reference such as:
+
+~~~
+redhat-osv @ git+https://github.com/ossf/osv-schema@0cef5d4#egg=redhat_osv&subdirectory=tools/redhat
+~~~
+
+Dependency management is therefore split between `setup.py` and `Pipenv`. Runtime dependencies are declared in 
+`setup.py` and installable by installing the project into a pipenv environment:
+
 ~~~
-$ pipenv sync
-$ pipenv shell
+$ pipenv install -e .
 ~~~
 
 ## Usage
 
 Needs to be run in a folder where the Red Hat CSAF documents to convert already exist. Files can be downloaded the [Red Hat Customer Portal Security Data section](https://access.redhat.com/security/data/csaf/v2/advisories/)
 ~~~
-$ ./convert_redhat.py csaf/rhsa-2024_4546.json
+$ pipenv run convert_redhat testdata/rhsa-2024_4546.json
 ~~~
 
 OSV documents will be output in the `osv` directory by default. Override the default with the `--output_directory` option.
 
-## Tests
+## Running Tests
+
+Run the tests like so:
 
 ~~~
-$ python3 -m unittest *_test.py
+$ pipenv run python3 -m unittest redhat_osv/*_test.py
 ~~~
diff --git a/tools/redhat/__init__.py b/tools/redhat/__init__.py
diff --git a/tools/redhat/convert_redhat.py b/tools/redhat/convert_redhat.py
@@ -9,45 +9,7 @@
 
 import requests
 from jsonschema import validate
-from csaf import CSAF
-from osv import DATE_FORMAT, OSV, OSVEncoder, SCHEMA_VERSION
-
-
-class RedHatConverter:
-    """
-    Class which converts and validates a CSAF string to an OSV string
-    """
-    SCHEMA = (
-        f"https://raw.githubusercontent.com/ossf/osv-schema/v{SCHEMA_VERSION}"
-        "/validation/schema.json")
-    REQUEST_TIMEOUT = 60
-
-    def __init__(self):
-        schema_content = requests.get(self.SCHEMA, timeout=self.REQUEST_TIMEOUT)
-        self.osv_schema = schema_content.json()
-
-    def convert(self,
-                csaf_content: str,
-                modified: str,
-                published: str = "") -> tuple[str, str]:
-        """
-        Converts csaf_content json string into an OSV json string
-        returns an OSV ID and the json string content of the OSV file
-        the json string content will be empty if no content is applicable
-        throws a validation error in the schema doesn't validate correctly.
-        The modified value for osv is passed in so it matches what's in all.json
-        Raises ValueError is CSAF file can't be parsed
-        """
-        csaf = CSAF(csaf_content)
-        osv = OSV(csaf, modified, published)
-
-        # We convert from an OSV object to a JSON string here in order to use the OSVEncoder
-        # Once we OSV json string data we validate it using the OSV schema
-        osv_content = json.dumps(osv, cls=OSVEncoder, indent=2)
-        osv_data = json.loads(osv_content)
-        validate(osv_data, schema=self.osv_schema)
-
-        return osv.id, osv_content
+from redhat_osv.osv import DATE_FORMAT, RedHatConverter
 
 
 def main():

diff --git a/tools/redhat/redhat_osv/__init__.py b/tools/redhat/redhat_osv/__init__.py
diff --git a/tools/redhat/convert_redhat_test.py → .../redhat/redhat_osv/convert_redhat_test.py b/tools/redhat/convert_redhat_test.py → .../redhat/redhat_osv/convert_redhat_test.py
@@ -2,8 +2,7 @@
 import unittest
 from datetime import datetime
 import json
-from convert_redhat import RedHatConverter
-from osv import DATE_FORMAT
+from redhat_osv.osv import DATE_FORMAT, RedHatConverter
 
 
 class TestRedHatConverter(unittest.TestCase):

diff --git a/tools/redhat/csaf.py → tools/redhat/redhat_osv/csaf.py b/tools/redhat/csaf.py → tools/redhat/redhat_osv/csaf.py
diff --git a/tools/redhat/csaf_test.py → tools/redhat/redhat_osv/csaf_test.py b/tools/redhat/csaf_test.py → tools/redhat/redhat_osv/csaf_test.py
@@ -1,7 +1,7 @@
 """Test parsing CSAF v2 advisories"""
 import unittest
 
-from csaf import Remediation
+from redhat_osv.csaf import Remediation
 
 
 class CSAFTest(unittest.TestCase):

diff --git a/tools/redhat/osv.py → tools/redhat/redhat_osv/osv.py b/tools/redhat/osv.py → tools/redhat/redhat_osv/osv.py
@@ -1,10 +1,11 @@
 """Module for parsing converting CSAF to OSV data"""
 import re
 from dataclasses import field, dataclass, InitVar
-from json import JSONEncoder
+import json
 from typing import Literal
-
-from csaf import Remediation, CSAF
+import requests
+from jsonschema import validate
+from redhat_osv.csaf import Remediation, CSAF
 
 # Update this if verified against a later version
 SCHEMA_VERSION = "1.6.5"
@@ -23,7 +24,7 @@
 )
 
 
-class OSVEncoder(JSONEncoder):
+class OSVEncoder(json.JSONEncoder):
     """Encodes OSV objects into JSON format"""
 
     def default(self, o):
@@ -175,19 +176,22 @@ def _convert_references(self, csaf) -> list[dict[str, str]]:
                         REDHAT_ADVISORY_URL)
                 references[reference["url"]] = "ADVISORY"
             else:
-                references[reference["url"]] = self._get_reference_type_and_add_go_related(
-                    reference)
+                references[reference[
+                    "url"]] = self._get_reference_type_and_add_go_related(
+                        reference)
         for vulnerability in csaf.vulnerabilities:
             for reference in vulnerability.references:
                 # This captures the CVE specific information
                 if reference["category"] == "self":
                     references[reference["url"]] = "REPORT"
                 else:
-                    references[reference["url"]] = self._get_reference_type_and_add_go_related(
-                        reference)
+                    references[reference[
+                        "url"]] = self._get_reference_type_and_add_go_related(
+                            reference)
         return [{"type": t, "url": u} for u, t in references.items()]
 
-    def _get_reference_type_and_add_go_related(self, reference: dict[str, str]) -> str:
+    def _get_reference_type_and_add_go_related(
+            self, reference: dict[str, str]) -> str:
         """
         Convert references from CSAF into typed referenced in OSV
         Also make sure to add a related entry for any GO advisory references found
@@ -201,3 +205,39 @@ def _get_reference_type_and_add_go_related(self, reference: dict[str, str]) -> s
             return "REPORT"
         return "ARTICLE"
 
+
+class RedHatConverter:
+    """
+    Class which converts and validates a CSAF string to an OSV string
+    """
+    SCHEMA = (
+        f"https://raw.githubusercontent.com/ossf/osv-schema/v{SCHEMA_VERSION}"
+        "/validation/schema.json")
+    REQUEST_TIMEOUT = 60
+
+    def __init__(self):
+        schema_content = requests.get(self.SCHEMA, timeout=self.REQUEST_TIMEOUT)
+        self.osv_schema = schema_content.json()
+
+    def convert(self,
+                csaf_content: str,
+                modified: str,
+                published: str = "") -> tuple[str, str]:
+        """
+        Converts csaf_content json string into an OSV json string
+        returns an OSV ID and the json string content of the OSV file
+        the json string content will be empty if no content is applicable
+        throws a validation error in the schema doesn't validate correctly.
+        The modified value for osv is passed in so it matches what's in all.json
+        Raises ValueError is CSAF file can't be parsed
+        """
+        csaf = CSAF(csaf_content)
+        osv = OSV(csaf, modified, published)
+
+        # We convert from an OSV object to a JSON string here in order to use the OSVEncoder
+        # Once we OSV json string data we validate it using the OSV schema
+        osv_content = json.dumps(osv, cls=OSVEncoder, indent=2)
+        osv_data = json.loads(osv_content)
+        validate(osv_data, schema=self.osv_schema)
+
+        return osv.id, osv_content
diff --git a/tools/redhat/osv_test.py → tools/redhat/redhat_osv/osv_test.py b/tools/redhat/osv_test.py → tools/redhat/redhat_osv/osv_test.py
@@ -1,8 +1,8 @@
 """Test Intermediate OSV object creation"""
 import unittest
 
-from csaf import CSAF
-from osv import OSV, Event
+from redhat_osv.csaf import CSAF
+from redhat_osv.osv import OSV, Event
 
 
 class ScoreTest(unittest.TestCase):

diff --git a/tools/redhat/setup.py b/tools/redhat/setup.py
@@ -0,0 +1,26 @@
+""" Convert a CSAF document to OSV format
+    i.e. https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4546.json
+"""
+
+from setuptools import setup, find_packages
+
+REQUIRES = [
+    "jsonschema",
+    "requests"
+]
+
+setup(
+    name="redhat_osv",
+    version="1.0.0",
+    description="Convert Red Hat CSAF documents to OSV format",
+    author_email="[email protected]",
+    url="",
+    keywords=["OSV", "CSAF"],
+    install_requires=REQUIRES,
+    classifiers=[
+        "Programming Language :: Python :: 3",
+    ],
+    packages=["redhat_osv"],
+    entry_points={"console_scripts": ["convert_redhat=convert_redhat:main"]},
+    long_description="The purpose of this tool is to convert from Red Hat CSAF documents to OSV",
+)