Skip to content

andrew/homebrew-advisory-database

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Homebrew Advisory Database

OSV-format vulnerability records for Homebrew packages. Each record describes a CVE that affected a homebrew-core formula and the Homebrew version+revision at which it was fixed by an applied patch.

This is an early demo. It currently covers only CVEs that a formula's patch block declares (or infers) as resolved, derived from patches[].resolves in brew info --json=v2 (Homebrew 6.0.4+). See Homebrew/discussions#6869 for background and Homebrew/homebrew-brew-vulns#95 for the annotation backfill.

Record format

Records follow the OSV schema under a Homebrew ecosystem with pkg:brew/<name> purls and BREW-<formula>-<CVE> ids. The upstream field links to the source CVE; summary, details, severity and references are copied from the upstream OSV record where available. affected[].ecosystem_specific carries the URL and applied-file list of the resolving patch.

{
  "schema_version": "1.7.3",
  "id": "BREW-lrzsz-CVE-2018-10195",
  "upstream": ["CVE-2018-10195"],
  "affected": [{
    "package": {"ecosystem": "Homebrew", "name": "lrzsz", "purl": "pkg:brew/lrzsz"},
    "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "0.12.20_1"}]}],
    "ecosystem_specific": {"fix": "patch", "patches": [{"url": "..."}]}
  }]
}

The fixed boundary is currently the version+revision shipped at generation time, not necessarily the revision that introduced the patch. Tightening that requires git archaeology on homebrew-core and will come later.

Homebrew versions are the upstream version with an optional _N revision suffix; 1.81.6_5 < 1.81.6_6 < 1.82.0.

Generation

Records are produced by brew vulns --osv-export and regenerated daily by the Regenerate workflow. Every push is validated against the OSV JSON schema.

Status

Not yet registered with osv.dev. The plan is to transfer this repository into the Homebrew organisation and then open a new data source request.

Upstream registrations needed:

  • BREW- id prefix and Homebrew ecosystem in ossf/osv-schema (the validate workflow patches these into the schema enum until then)
  • pkg:brew purl type in package-url/purl-spec — proposed in package-url/purl-spec#796, tracked in #254
  • pkg:brew handling in osv.dev's purl_helpers.py and a Homebrew version comparator in _ecosystems.py

License

Advisory data is released under CC0 1.0.

About

OSV-format vulnerability records for Homebrew packages

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors