Add OSV (Open Source Vulnerabilities) reference type support

Chocapikk · Chocapikk · commit b903e1f426df · 2025-11-20T03:34:25.000+01:00
diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb
@@ -131,6 +131,8 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '', in_ctx_repo = nil)
       else
         self.site = "https://github.com/advisories/#{ghsa_id}"
       end
+    elsif in_ctx_id == 'OSV'
+      self.site = "https://osv.dev/vulnerability/#{in_ctx_val}"
     elsif in_ctx_id == 'URL'
       self.site = in_ctx_val.to_s
     elsif in_ctx_id == 'LOGO'
diff --git a/spec/module_validation_spec.rb b/spec/module_validation_spec.rb
@@ -125,11 +125,11 @@
 
       it 'has errors' do
         expect(subject.errors.full_messages).to eq [
-          "References url is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]",
-          "References FOO is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]",
+          "References url is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"OSV\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]",
+          "References FOO is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"OSV\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]",
           "References NOCVE please include NOCVE values in the 'notes' section, rather than in 'references'",
           "References AKA please include AKA values in the 'notes' section, rather than in 'references'",
-          "References ATTACK is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]"
+          "References ATTACK is not valid, must be in [\"ATT&CK\", \"CVE\", \"CWE\", \"BID\", \"MSB\", \"EDB\", \"GHSA\", \"OSV\", \"US-CERT-VU\", \"ZDI\", \"URL\", \"WPVDB\", \"PACKETSTORM\", \"LOGO\", \"SOUNDTRACK\", \"OSVDB\", \"VTS\", \"OVE\"]"
         ]
       end
     end
diff --git a/spec/support/lib/module_validation.rb b/spec/support/lib/module_validation.rb
@@ -92,6 +92,7 @@ def initialize(mod)
       MSB
       EDB
       GHSA
+      OSV
       US-CERT-VU
       ZDI
       URL
diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb
@@ -277,6 +277,10 @@ def check_ref_identifiers
           ghsa_pattern = /^(?:GHSA-)?[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i
           warn("Invalid GHSA reference") if value !~ ghsa_pattern
           # No specific validation for repo format yet, as it's an optional string
+        when 'OSV'
+          # OSV format: ECOSYSTEM-YEAR-ID (e.g., GO-2021-0113, PYSEC-2024-123)
+          osv_pattern = /^[A-Z]+-\d{4}-[A-Z0-9-]+$/i
+          warn("Invalid OSV reference") if value !~ osv_pattern
         when 'URL'
           if value =~ /^https?:\/\/cvedetails\.com\/cve/
             warn("Please use 'CVE' for '#{value}'")
@@ -298,6 +302,8 @@ def check_ref_identifiers
             warn("Please use 'PACKETSTORM' for '#{value}'")
           elsif value =~ /^https?:\/\/github\.com\/(?:advisories|[\w\-]+\/[\w\-]+\/security\/advisories)\/GHSA-/
             warn("Please use 'GHSA' for '#{value}'")
+          elsif value =~ /^https?:\/\/osv\.dev\/vulnerability\//
+            warn("Please use 'OSV' for '#{value}'")
           end
         when 'AKA'
           warn("Please include AKA values in the 'notes' section, rather than in 'references'.")
diff --git a/tools/modules/module_missing_reference.rb b/tools/modules/module_missing_reference.rb
@@ -25,6 +25,7 @@ def types
     'WPVDB',
     'PACKETSTORM',
     'GHSA',
+    'OSV',
     'URL'
   ]
 end
diff --git a/tools/modules/module_reference.rb b/tools/modules/module_reference.rb
@@ -35,6 +35,7 @@ def types
     'WPVDB' => 'https://wpscan.com/vulnerability/#{in_ctx_val}',
     'PACKETSTORM' => 'https://packetstormsecurity.com/files/#{in_ctx_val}',
     'GHSA' => 'https://github.com/advisories/#{in_ctx_val}',
+    'OSV' => 'https://osv.dev/vulnerability/#{in_ctx_val}',
     'URL' => '#{in_ctx_val}'
   }
 end

-Original file line number
+Diff line change
       MSB
       EDB
       GHSA
 +      OSV
       US-CERT-VU
       ZDI
       URL
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ def types`
`25`	`25`	`'WPVDB',`
`26`	`26`	`'PACKETSTORM',`
`27`	`27`	`'GHSA',`
	`28`	`+ 'OSV',`
`28`	`29`	`'URL'`
`29`	`30`	`]`
`30`	`31`	`end`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ def types`
`35`	`35`	`'WPVDB' => 'https://wpscan.com/vulnerability/#{in_ctx_val}',`
`36`	`36`	`'PACKETSTORM' => 'https://packetstormsecurity.com/files/#{in_ctx_val}',`
`37`	`37`	`'GHSA' => 'https://github.com/advisories/#{in_ctx_val}',`
	`38`	`+ 'OSV' => 'https://osv.dev/vulnerability/#{in_ctx_val}',`
`38`	`39`	`'URL' => '#{in_ctx_val}'`
`39`	`40`	`}`
`40`	`41`	`end`