Merge branch 'master' into document_quality_bar

andrewpollock · May 17, 2024 · 66bfb68 · 66bfb68
2 parents 12cd78b + 42b2c3b
commit 66bfb68
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 7 deletions.
diff --git a/docs/data.md b/docs/data.md
@@ -52,14 +52,16 @@ The following ecosystems have vulnerabilities encoded in this format:
     ([CC-BY 4.0](https://github.com/psf/advisory-database/blob/main/LICENSE))
 
 ## Converted data
+
 Additionally, the OSV.dev team maintains a conversion pipeline for:
 
 -   [Debian Security Advisories](https://storage.googleapis.com/debian-osv/index.html),
     using the conversion tools
     [here](https://github.com/google/osv.dev/tree/master/vulnfeeds/tools/debian).
 -   [Alpine SecDB](https://storage.googleapis.com/cve-osv-conversion/index.html?prefix=osv-output/),
     using the conversion tools
-    [here](https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/alpine).
+    [here](https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/alpine),
+-   [NVD CVEs for open source software](https://storage.googleapis.com/cve-osv-conversion/index.html?prefix=osv-output/) using the conversion tools [here](https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/nvd-cve-osv)
 
 ## Covered Ecosystems
 

diff --git a/vulnfeeds/cmd/nvd-cve-osv/README.md b/vulnfeeds/cmd/nvd-cve-osv/README.md
@@ -1,10 +1,27 @@
-# Proof-of-concept code to leverage vulnfeeds for reasoning about C/C++ sources
+# Converting NVD CVEs for open source software to OSV
 
-This can be invoked as:
+Further context at [Introducing broad C/C++ vulnerability management support](https://osv.dev/blog/posts/introducing-broad-c-c++-support/)
+
+See [run_cve_to_osv_generation.sh](https://github.com/google/osv.dev/blob/master/vulnfeeds/cmd/nvd-cve-osv/run_cve_to_osv_generation.sh) for how this is invoked in Production.
+
+To see it in action on a single CVE:
 
-```shell
-go run cmd/nvd-cve-osv/main.go \
-  --nvd_json cve_jsons/nvdcve-1.1-2022.json \
 ```
+CVE=CVE-2024-3094
+
+git clone --recurse-submodules https://github.com/google/osv.dev
+
+cd osv.dev/vulnfeeds
+
+mkdir /tmp/nvd /tmp/nvd2osv
+
+(cd test_data && ./download_specific_cves $CVE)
+mv test_data/nvdcve-2.0/${CVE}.json /tmp/nvd
+gcloud storage cp "gs://osv-test-cve-osv-conversion/cpe_repos/cpe_product_to_repo.json" "/tmp"
+
+go run cmd/nvd-cve-osv/main.go \
+    --cpe_repos "/tmp/cpe_product_to_repo.json" \
+    --nvd_json "/tmp/nvd/${CVE}.json" \
+    --out_dir "/tmp/nvd2osv"
 
-Use `cmd/download-cves/main.go` for downloading the NVD JSON files
+cat /tmp/nvd2osv/*/*/${CVE}.json