* Query OSV batch API to find which packages have vulnerabilities. * Returns indices of packages that have vulnerabilities (for follow-up detailed queries). * @see https://google.github.io/osv.dev/post-v1-querybatch/
( packages: PackageQueryInfo[], )
| 32 | * @see https://google.github.io/osv.dev/post-v1-querybatch/ |
| 33 | */ |
| 34 | async function queryOsvBatch( |
| 35 | packages: PackageQueryInfo[], |
| 36 | ): Promise<{ vulnerableIndices: number[]; failed: boolean }> { |
| 37 | if (packages.length === 0) return { vulnerableIndices: [], failed: false } |
| 38 | |
| 39 | try { |
| 40 | const response = await $fetch<OsvBatchResponse>('https://api.osv.dev/v1/querybatch', { |
| 41 | method: 'POST', |
| 42 | body: { |
| 43 | queries: packages.map(pkg => ({ |
| 44 | package: { name: pkg.name, ecosystem: 'npm' }, |
| 45 | version: pkg.version, |
| 46 | })), |
| 47 | }, |
| 48 | }) |
| 49 | |
| 50 | // Find indices of packages that have vulnerabilities |
| 51 | const vulnerableIndices: number[] = [] |
| 52 | for (let i = 0; i < response.results.length; i++) { |
| 53 | const result = response.results[i] |
| 54 | if (result?.vulns && result.vulns.length > 0) { |
| 55 | vulnerableIndices.push(i) |
| 56 | } |
| 57 | // Warn if pagination token present (>1000 vulns for single query or >3000 total) |
| 58 | // This is extremely unlikely for npm packages but log for visibility |
| 59 | if (result?.next_page_token) { |
| 60 | // oxlint-disable-next-line no-console -- warn about paginated results |
| 61 | console.warn( |
| 62 | `[dep-analysis] OSV batch result has pagination token for package index ${i} ` + |
| 63 | `(${packages[i]?.name}@${packages[i]?.version}) - some vulnerabilities may be missing`, |
| 64 | ) |
| 65 | } |
| 66 | } |
| 67 | |
| 68 | return { vulnerableIndices, failed: false } |
| 69 | } catch (error) { |
| 70 | // oxlint-disable-next-line no-console -- log OSV API failures for debugging |
| 71 | console.warn(`[dep-analysis] OSV batch query failed:`, error) |
| 72 | return { vulnerableIndices: [], failed: true } |
| 73 | } |
| 74 | } |
| 75 | |
| 76 | /** |
| 77 | * Query OSV for full vulnerability details for a single package. |
no outgoing calls
no test coverage detected