From 1f82c30c839308aff4b5c20f074d410bc82d0d7c Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 18 May 2026 17:49:37 +0100 Subject: [PATCH] feat: rudimentary id provider record manipulation Signed-off-by: Weston Steimel --- .../identifiers/providers/models/__init__.py | 0 .../identifiers/providers/models/alteration.py | 8 ++++++++ .../providers/openssf_malicious_packages.py | 18 +++++++++++++++++- uv.lock | 9 ++++++++- 4 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 src/anchore_security_cli/identifiers/providers/models/__init__.py create mode 100644 src/anchore_security_cli/identifiers/providers/models/alteration.py diff --git a/src/anchore_security_cli/identifiers/providers/models/__init__.py b/src/anchore_security_cli/identifiers/providers/models/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/src/anchore_security_cli/identifiers/providers/models/alteration.py b/src/anchore_security_cli/identifiers/providers/models/alteration.py new file mode 100644 index 0000000..a94eb61 --- /dev/null +++ b/src/anchore_security_cli/identifiers/providers/models/alteration.py @@ -0,0 +1,8 @@ +from dataclasses import dataclass + + +@dataclass(frozen=True) +class Alteration: + identifier: str + drop: set[str] | None = None + add: set[str] | None = None diff --git a/src/anchore_security_cli/identifiers/providers/openssf_malicious_packages.py b/src/anchore_security_cli/identifiers/providers/openssf_malicious_packages.py index 79ab202..66cb5c4 100644 --- a/src/anchore_security_cli/identifiers/providers/openssf_malicious_packages.py +++ b/src/anchore_security_cli/identifiers/providers/openssf_malicious_packages.py @@ -4,11 +4,16 @@ from glob import iglob from anchore_security_cli.identifiers.aliases import Aliases +from anchore_security_cli.identifiers.providers.models.alteration import Alteration from anchore_security_cli.identifiers.providers.provider import ArchiveProvider, ProviderRecord +alterations: list[Alteration] = [ + Alteration(identifier="MAL-2024-3834", drop={"GHSA-r6x6-85h3-39v6"}), +] class OpenSSFMaliciousPackages(ArchiveProvider): def __init__(self): + self._indexed_alterations = {a.identifier:a for a in alterations} super().__init__( name="OpenSSF Malicious Packages", url="https://github.com/ossf/malicious-packages/archive/refs/heads/main.tar.gz", @@ -25,7 +30,18 @@ def _process_fetch(self, content_dir: str) -> list[ProviderRecord]: data = json.load(f) record_id = data["id"] - aliases = Aliases.from_list([record_id, *data.get("aliases", [])], provider=self.name) + + aliases = data.get("aliases", []) + if record_id in self._indexed_alterations: + alteration = self._indexed_alterations[record_id] + if alteration.drop and aliases: + aliases = list(set(aliases)-alteration.drop) + + if alteration.add: + for identifier in alteration.add: + aliases.append(identifier) + + aliases = Aliases.from_list([record_id, *aliases], provider=self.name) published = self._parse_date(data.get("published")) if not record_id.startswith("MAL-"): diff --git a/uv.lock b/uv.lock index 26926fc..f219e40 100644 --- a/uv.lock +++ b/uv.lock @@ -3,9 +3,16 @@ revision = 3 requires-python = ">=3.13, <3.15" [options] -exclude-newer = "2026-04-20T14:10:52.75343304Z" +exclude-newer = "0001-01-01T00:00:00Z" # This has no effect and is included for backwards compatibility when using relative exclude-newer values. exclude-newer-span = "P1W" +[options.exclude-newer-package] +grype-db-manager = { timestamp = "0001-01-01T00:00:00Z", span = "PT2H" } +vunnel = { timestamp = "0001-01-01T00:00:00Z", span = "PT2H" } +uv = { timestamp = "0001-01-01T00:00:00Z", span = "P7D" } +yardstick = { timestamp = "0001-01-01T00:00:00Z", span = "PT2H" } +ruff = { timestamp = "0001-01-01T00:00:00Z", span = "P7D" } + [[package]] name = "anchore-security-cli" source = { editable = "." }