Skip to content

varnish/osv-rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,368 Commits
.github
.github
 
 
rulesets
rulesets
 
 
README.md
README.md
 
 

Repository files navigation

OSV Rules for Varnish Artifact Firewall

CI Pipeline Last updated

This repository contains auto-generated Varnish Artifact Firewall rulesets derived from OSV vulnerability data.

Rulesets are regenerated automatically every hour using osv-rulegen and committed directly to this repository.

Rulesets

Ecosystem File Rules
npm rulesets/npm/all.yaml npm rules
pypi rulesets/pypi/all.yaml pypi rules
nuget rulesets/nuget/all.yaml nuget rules

Usage

Add one or more git rulesets to the firewall configuration:

firewall:
  rulesets:
    - git:
        name: pypi-osv-rules
        url: https://github.com/varnish/osv-rules
        ref: main
        sub_path: rulesets/pypi/all.yaml
        interval: 1h
    - git:
        name: npm-osv-rules
        url: https://github.com/varnish/osv-rules
        ref: main
        sub_path: rulesets/npm/all.yaml
        interval: 1h
    - git:
        name: nuget-osv-rules
        url: https://github.com/varnish/osv-rules
        ref: main
        sub_path: rulesets/nuget/all.yaml
        interval: 1h

Generate your own rules

The rulesets in this repo are produced by osv-rulegen. You can run it yourself to generate rules into your own repo, tweak the default action, or work from a local OSV dump.

docker run --rm varnish/osv-rulegen -ecosystem pypi > pypi-osv.yaml

Flags

Flag Default Description
-ecosystem (required) Ecosystem to convert
-action deny Rule action when no severity score can be determined (deny or hide)
-input Path to a local .zip to convert instead of downloading
-output Download the zip and save it to this path, then exit
-verbose false Log each deduplicated and ecosystem-skipped record

Examples

Use hide instead of deny when severity is unknown:

docker run --rm varnish/osv-rulegen -ecosystem npm -action hide > npm-osv.yaml

Convert a previously downloaded OSV zip:

docker run --rm -v "$PWD:/data" varnish/osv-rulegen -ecosystem npm -input /data/npm-all.zip > npm-osv.yaml

Each OSV vulnerability becomes one rule. Duplicates that share aliases (e.g. a CVE and its corresponding GHSA entry) are deduplicated. Withdrawn vulnerabilities are skipped.

Severity mapping

Rules are assigned a numeric severity score (0–10) when one can be derived:

Source Logic
MAL- prefix Always 10.0 (confirmed malicious package)
CVSS v4 vector Base score from the vector (preferred over v3)
CVSS v3 vector Base score from the vector
Qualitative label CRITICAL→9.5, HIGH→8.0, MODERATE/MEDIUM→5.5, LOW→2.0, NONE→0.0

When no severity information is available, deny is used.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors