Add data sources and rule types for OSV and Sonatype OSS index

README.md

@@ -21,3 +21,14 @@ reference profile recommended for GitHub, use the following command:
 ```bash
 minder profile create -f profiles/github/profile.yaml
 ```
+
+# Data Sources
+
+Reference data sources are available in the `data-sources` directory. To take a data source
+into use, you'll need to instantiate it in a Minder instance. For example, to instantiate the
+reference data source for using OSV as a data source, use the following command:
+
+```bash
+minder datasource create -f data-sources osv.yaml
+```
+

data-sources/osv.yaml

@@ -0,0 +1,32 @@
+---
+version: v1
+type: data-source
+name: osv
+context: {}
+rest:
+  def:
+    query:
+      endpoint: 'https://api.osv.dev/v1/query'
+      parse: json
+      method: POST
+      body_from_field: query
+      input_schema:
+        type: object
+        properties:
+          query:
+            type: object
+            properties:
+              version:
+                type: string
+              package:
+                type: object
+                properties:
+                  ecosystem:
+                    type: string
+                    description: The ecosystem the dependency belongs to
+                  name:
+                    type: string
+                    description: The name of the dependency
+        required:
+          - query
+

data-sources/sonatype_oss_index.yaml

@@ -0,0 +1,30 @@
+---
+version: v1
+type: data-source
+name: sonatype_oss_index
+context: {}
+rest:
+  def:
+    query:
+      endpoint: 'https://ossindex.sonatype.org/api/v3/component-report'
+      parse: json
+      method: POST
+      body_from_field: request
+      headers:
+        Content-Type: application/json
+      input_schema:
+        type: object
+        properties:
+          request:
+            type: object
+            properties:
+              coordinates:
+                type: array
+                items:
+                  type: string
+                uniqueItems: true
+            required:
+              - coordinates
+        required:
+          - request
+

rule-types/common/osv_vulnerabilities.yaml

@@ -0,0 +1,95 @@
+---
+version: v1
+type: rule-type
+name: osv_vulnerabilities
+display_name: Detect Vulnerable Dependencies in OSV
+context: {}
+severity:
+  value: low  # TODO: We should derive the severity from the rule type output itself.
+release_phase: alpha
+short_failure_message: Vulnerable dependencies found in this repository matching the OSV database.
+description: |
+  This rule identifies dependencies in the repository with known vulnerabilities according to the OSV (Open Source Vulnerabilities) database. It helps ensure your project avoids using libraries or packages that could introduce security risks.
+
+  By regularly scanning and updating dependencies, you can mitigate the risk of exploits and maintain secure development practices.
+
+  Documentation: https://osv.dev/
+guidance: |
+  Check the dependencies in the repository for updates or patches. Resolve vulnerabilities by upgrading to a secure version. Refer to the following documentation for remediation steps:
+
+  - OSV: https://osv.dev
+def:
+  in_entity: repository
+  param_schema: {}
+  rule_schema: {}
+  ingest:
+    type: deps
+    deps: {}
+  eval:
+    type: rego
+    data_sources:
+      - name: osv
+    rego:
+      type: constraints
+      def: |
+        package minder
+
+        import rego.v1
+
+        default skip = false
+
+        violations[{"msg": msg}] if {
+          node := input.ingested.node_list.nodes[_]
+
+          name := node.name
+          version := node.version
+          ecosystem := get_ecosystem(node.properties)
+
+          reqparams := {
+              "query": {
+                "version": version,
+                "package": {
+                  "name": name,
+                  "ecosystem": ecosystem
+                }
+              }
+            }
+
+          out := minder.datasource.osv.query(reqparams)
+          vulns := out.body.vulns
+
+          count(vulns) > 0
+
+          vulnid := vulns[_].id
+
+          msg := sprintf("Package %v version %v has a vulnerability %v", [name, version, vulnid])
+        }
+
+        get_ecosystem(properties) := eco if {
+          count(properties) >= 1
+          prop := properties[_]
+
+          prop.name == "sourceFile"
+          eco := get_ecosystem_from_file(prop.data)
+        }
+
+        get_ecosystem_from_file(file) = "PyPI" if {
+          file == "requirements.txt"
+        }
+
+        get_ecosystem_from_file(file) = "npm" if {
+          file == "package.json"
+        }
+
+        get_ecosystem_from_file(file) = "RubyGems" if {
+          file == "Gemfile"
+        }
+
+        get_ecosystem_from_file(file) = "Go" if {
+          file == "go.mod"
+        }
+
+        get_ecosystem_from_file(file) = "crates.io" if {
+          file == "Cargo.toml"
+        }
+

rule-types/common/sonatype_oss_index_vulnerabilities.yaml

@@ -0,0 +1,63 @@
+---
+version: v1
+type: rule-type
+name: sonatype_oss_index_vulnerabilities
+display_name: Detect Vulnerable Dependencies in Sonatype OSS Index
+context: {}
+severity:
+  value: low
+release_phase: alpha
+short_failure_message: Vulnerable dependencies found in this repository matching the Sonatype OSS Index database.
+description: |
+  This rule identifies dependencies in the repository with known vulnerabilities as reported by the Sonatype OSS Index database. It helps ensure your project avoids using libraries or packages that could introduce security risks.
+
+  By regularly scanning and updating dependencies, you can mitigate the risk of exploits and maintain secure development practices.
+
+  Documentation: https://ossindex.sonatype.org/
+guidance: |
+  Check the dependencies in the repository for updates or patches. Resolve vulnerabilities by upgrading to a secure version. Refer to the following documentation for remediation steps:
+
+  - Sonatype OSS Index: https://ossindex.sonatype.org/
+  - Dependency management best practices: [link to relevant guide]
+def:
+  in_entity: repository
+  param_schema: {}
+  rule_schema: {}
+  ingest:
+    type: deps
+    deps: {}
+  eval:
+    type: rego
+    data_sources:
+      - name: sonatype-oss-index
+    rego:
+      type: constraints
+      def: |
+        package minder
+
+        import rego.v1
+
+        default skip = false
+
+        violations[{"msg": msg}] if {
+          node := input.ingested.node_list.nodes[_]
+
+          purl := node.identifiers["1"]
+
+          reqparams := {
+              "request": {
+                "coordinates": [
+                    purl
+                ]
+              }
+            }
+
+          out := minder.datasource.sonatype_oss_index.query(reqparams)
+          vulns := out.body[0].vulnerabilities
+
+          count(vulns) > 0
+
+          vulnid := vulns[_].id
+
+          msg := sprintf("Package '%v' has a vulnerability %v", [purl, vulnid])
+        }