{"id":18291155,"url":"https://github.com/trustification/ONguard","last_synced_at":"2025-10-03T13:30:56.101Z","repository":{"id":218769570,"uuid":"733503465","full_name":"RHEcosystemAppEng/ONguard","owner":"RHEcosystemAppEng","description":null,"archived":false,"fork":false,"pushed_at":"2024-05-21T16:07:26.000Z","size":301,"stargazers_count":0,"open_issues_count":2,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2024-05-22T12:05:50.382Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RHEcosystemAppEng.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-19T13:27:12.000Z","updated_at":"2024-05-29T22:40:52.208Z","dependencies_parsed_at":"2024-02-22T12:25:12.872Z","dependency_job_id":"7561fc0f-afe5-42fe-9712-60fb1dbfc435","html_url":"https://github.com/RHEcosystemAppEng/ONguard","commit_stats":null,"previous_names":["rhecosystemappeng/onguard"],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2FONguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2FONguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2FONguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RHEcosystemAppEng%2FONguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RHEcosystemAppEng","download_url":"https://codeload.github.com/RHEcosystemAppEng/ONguard/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235134711,"owners_count":18941318,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-05T14:13:23.302Z","updated_at":"2025-10-03T13:30:55.515Z","avatar_url":"https://github.com/RHEcosystemAppEng.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ONGuard\n\nThe ONGuard (OSV Guard) service integrates OSV in order to retrieve CVE vulnerabilities from\nthe given set of package urls (purls).\n\nUpon receiving a collection of `purls`:\n\n```json\n{\n    \"purls\": [\n        \"pkg:maven/io.quarkus/quarkus-vertx-http@2.13.5.Final?type=jar\",\n        \"pkg:maven/io.quarkus/quarkus-core@2.13.5.Final?type=jar\"\n    ]\n}\n```\n\nThe service will query the OSV REST API to retrieve the vulnerabilities associated to each of these `purls` and\nthe OSV Service will return with a collection of vulnerabilities.\n\n```json\n{\n    \"results\": [\n        {\n            \"vulns\": [\n                {\n                    \"id\":  \"GHSA-4f4r-wgv2-jjvg\",\n                    \"modified\": \"2023-12-06T03:15:58.438241Z\"\n                },\n                {\n                    \"id\": \"GHSA-c57v-hc7m-8px2\",\n                    \"modified\": \"2023-04-11T01:26:48.949735Z\"\n                }\n            ]\n        },\n        {\n            \"vulns\": [\n\n            ]\n        }\n    ]\n}\n```\n\nWe need to expand each of these vulnerability IDs and for that the service will call retrieve the OSV data\nthat contains useful remediation information, aliases (including the CVE), summary, title and metrics.\n\nThat means the service has to perform 2 requests:\n- OSV /vulns/{vulnId}\n\nAs you can imagine. That implies (number of vulnerabilities) + 1 requests for each request. Where in a normal-sized\nJava project with 150 dependencies (direct and transitive) will be 101 HTTP requests.\n\nFor that we have added a Redis cache in order to cache the individual requests to OSV.\n\nThe final result of the aggregated data will look like this:\n\n```json\n{\n    \"pkg:maven/io.quarkus/quarkus-vertx-http@2.13.5.Final?type=jar\": [\n        {\n            \"cveId\": \"CVE-2023-4853\",\n            \"created\": \"2024-02-02T06:56:20.584+00:00\",\n            \"summary\": \"Quarkus HTTP vulnerable to incorrect evaluation of permissions\",\n            \"description\": \"A flaw was found in Quarkus where HTTP security ...\",\n            \"affected\": [\n                {\n                    \"package\": {},\n                    \"ranges\": [],\n                    \"versions\": []\n                }\n            ],\n            \"severity\": [\n                {\n                    \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\n                    \"type\": \"CVSS_V3\"\n                }\n            ]\n        }\n    ]\n}\n```\n\n## Endpoints\n\nThe ONGuard service provides the following service endpoints:\n\n### POST /purls\n\nThis endpoint resolves the package urls into public CVEs.\n\n### GET /vulnerabilities/{vulnerabilityID}\n\nRetrieves the public CVE data for the given Vulnerability ID. If this ID is not a CVE (e.g. GHSA) the associated CVE will be returned, if exists.\n\n### POST /vulnerabilities\n\nRetrieves the public CVE data for the given Vulnerability IDs in JSON format.\n\n```json\n[\n    \"vulnId-1\",\n    \"vulnId-2\"\n]\n```\n\n## OpenAPI Schema\n\nThe OpenAPI Schema can be retrieved in the management endpoint at http://localhost:9000/q/openapi\n\n## Running the application\n\n### Running the application locally\n\nThe application depends on Redis and uses the JSON capability. You can either connect to an existing instance or use the `TestContainers` framework to spin up one for you.\n\n#### Using Redis with TestsContainers\n\nIn this case, as it is the default configuration, you only need to provide the apiKey.\n\n```shell script\n./mvnw compile quarkus:dev\n```\n\n* Note: If you're having issues with Podman and TestContainers you can check the [Quarkus Blog](https://quarkus.io/blog/quarkus-devservices-testcontainers-podman/) and the [Quarkus Podman guide](https://quarkus.io/guides/podman)\n\n#### Connecting to an existing Redis database\n\nIn this case I will use podman to start an instance. Note that I use the `redis-stack` instance because it contains the JSON capability. I also expose the port 8001 for connecting to the Redis Insights instance.\n\n```bash\npodman run -d --rm -p 6379:6379 -p 8001:8001 --name redis-stack redis/redis-stack:latest\n```\n\nYou can run your application in dev mode that enables live coding using:\n\n```shell script\n./mvnw compile quarkus:dev -Dquarkus.redis.hosts=redis://localhost:6379/\n```\n\n## Packaging and running the application\n\nThe application can be packaged using:\n```shell script\n./mvnw package\n```\nIt produces the `quarkus-run.jar` file in the `target/quarkus-app/` directory.\nBe aware that it’s not an _über-jar_ as the dependencies are copied into the `target/quarkus-app/lib/` directory.\n\nThe application is now runnable using `java -jar target/quarkus-app/quarkus-run.jar`.\n\nIf you want to build an _über-jar_, execute the following command:\n```shell script\n./mvnw package -Dquarkus.package.type=uber-jar\n```\n\nThe application, packaged as an _über-jar_, is now runnable using `java -jar target/*-runner.jar`.\n\n## Creating a native executable\n\nYou can create a native executable using: \n```shell script\n./mvnw package -Pnative\n```\n\nOr, if you don't have GraalVM installed, you can run the native executable build in a container using: \n```shell script\n./mvnw package -Pnative -Dquarkus.native.container-build=true\n```\n\nYou can then execute your native executable with: `./target/onguard-\u003cversion\u003e-runner`\n\nIf you want to learn more about building native executables, please consult https://quarkus.io/guides/maven-tooling.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustification%2FONguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustification%2FONguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustification%2FONguard/lists"}