add maven support

Signed-off-by: Holly Gong <gongh@google.com>
ossf · Dec 17, 2024 · 8d88472 · 8d88472
1 parent 87982cb
commit 8d88472
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 2 deletions.
diff --git a/tools/osv-linter/internal/pkgchecker/ecosystems.go b/tools/osv-linter/internal/pkgchecker/ecosystems.go
@@ -66,7 +66,7 @@ func ExistsInEcosystem(pkg string, ecosystem string) bool {
 	case "Linux":
 		return true
 	case "Maven":
-		return true
+		return existsInMaven(pkg)
 	case "npm":
 		return existsInNpm(pkg)
 	case "NuGet":

diff --git a/tools/osv-linter/internal/pkgchecker/package_check.go b/tools/osv-linter/internal/pkgchecker/package_check.go
@@ -62,8 +62,26 @@ func existsInHackage(pkg string) bool {
 	return checkPackageExists(packageInstanceURL)
 }
 
+// Validate the existence of a package in Maven.
+func existsInMaven(pkg string) bool {
+	if !strings.Contains(pkg, ":") {
+		return false
+	}
+	group_id := strings.Split(pkg, ":")[0]
+	artifact_id := strings.Split(pkg, ":")[1]
+	packageInstanceURL := fmt.Sprintf("%s/?q=g:%s%%20AND%%20a:%s", EcosystemBaseURLs["Maven"], group_id, artifact_id)
+	fmt.Println(packageInstanceURL)
+
+	// Needs to use GET instead of HEAD for Maven
+	resp, err := faulttolerant.Get(packageInstanceURL)
+	if err != nil {
+		return false
+	}
+
+	return resp.StatusCode == http.StatusOK
+}
+
 // Validate the existence of a package in PyPI.
-// Note: for malicious packages, if the package has been removed, the verify will be fail
 func existsInPyPI(pkg string) bool {
 	packageInstanceURL := fmt.Sprintf("%s/%s/json", EcosystemBaseURLs["PyPI"], strings.ToLower(pkg))
 

diff --git a/tools/osv-linter/internal/pkgchecker/package_check_test.go b/tools/osv-linter/internal/pkgchecker/package_check_test.go
@@ -196,6 +196,32 @@ func Test_existsInHackage(t *testing.T) {
 	}
 }
 
+func Test_existsInMaven(t *testing.T) {
+	tests := []struct {
+		name string
+		pkg  string
+		want bool
+	}{
+		{
+			name: "existing package",
+			pkg:  "de.gematik.refv.commons:commons",
+			want: true,
+		},
+		{
+			name: "non-existing package",
+			pkg:  "non-existing-package",
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := existsInMaven(tt.pkg); got != tt.want {
+				t.Errorf("existsInMaven() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func Test_existsInPyPI(t *testing.T) {
 	tests := []struct {
 		name string