swh.osv.map_packages module#

swh.osv.map_packages.SWH_API_SEMAPHORE = <asyncio.locks.Semaphore object at 0x7f86e4b4c950 [unlocked, value:10]>#

Prevents more than 10 concurrent requests to the SWH API

swh.osv.map_packages.QUERY_MAVEN = False#

Sends requests to https://repo1.maven.org/maven2 in order to check whether origins have no sources, are missing from SWH, or are not on Maven; and print which it is.

swh.osv.map_packages.DEFAULT_MAVEN_REPOSITORY = 'https://repo1.maven.org/maven2'#

Which Maven repository to use when it is not specified in the vulnerability report (which is true of all reports I have seen so far).

The OSV spec says https://repo.maven.apache.org/maven2 but SWH archives https://repo1.maven.org/maven2 instead, so let’s use that instead, because they are the same repository under the hood.

class swh.osv.map_packages.DocProcessor(stub: swh.graph.grpc.swhgraph_pb2_grpc.TraversalServiceStub, session: aiohttp.client.ClientSession, origin_denormalizer: swh.osv.map_origins.OriginDenormalizer, found: set[tuple[str, str]] = <factory>, unmapped: set[tuple[str, str]] = <factory>, not_found: set[tuple[str, str]] = <factory>, incorrect_ecosystem: set[tuple[str, str]] = <factory>, confabulated: set[tuple[str, str]] = <factory>, todo_mappings: set[tuple[str, str]] = <factory>)[source]#

Bases: object

stub: TraversalServiceStub#
session: ClientSession#
origin_denormalizer: OriginDenormalizer#
found: set[tuple[str, str]]#
unmapped: set[tuple[str, str]]#
not_found: set[tuple[str, str]]#
incorrect_ecosystem: set[tuple[str, str]]#
confabulated: set[tuple[str, str]]#
todo_mappings: set[tuple[str, str]]#
total_found = 0#
total_unmapped = 0#
total_not_found = 0#
total_incorrect_ecosystem = 0#
total_confabulated = 0#
total_todo = 0#
async process_docs(arg)[source]#
async process_package(package: dict, doc: dict) None[source]#
async swh.osv.map_packages.main(conn: Connection) None[source]#