OSV Rules for Varnish Artifact Firewall

This repository contains auto-generated Varnish Artifact Firewall rulesets derived from OSV vulnerability data.

Rulesets are regenerated automatically every hour using osv-rulegen and committed directly to this repository.

Rulesets

Ecosystem	File
npm	rulesets/npm/all.yaml
pypi	rulesets/pypi/all.yaml

Usage

Add one or more git rulesets to the firewall configuration:

firewall:
  rulesets:
    - git:
        name: pypi-osv-rules
        url: https://github.com/varnish/osv-rules
        ref: main
        sub_path: rulesets/pypi/all.yaml
        interval: 1h
    - git:
        name: npm-osv-rules
        url: https://github.com/varnish/osv-rules
        ref: main
        sub_path: rulesets/npm/all.yaml
        interval: 1h

How it works

Each ruleset is generated by running:

docker run --rm varnish/osv-rulegen -ecosystem <name> > rulesets/<name>/all.yaml

Each OSV vulnerability becomes one rule. Duplicates that share aliases (e.g. a CVE and its corresponding GHSA entry) are deduplicated. Withdrawn vulnerabilities are skipped.

Severity mapping

Rules are assigned a numeric severity score (0–10) when one can be derived:

Source	Logic
MAL- prefix	Always 10.0 (confirmed malicious package)
CVSS v4 vector	Base score from the vector (preferred over v3)
CVSS v3 vector	Base score from the vector
Qualitative label	CRITICAL→9.5, HIGH→8.0, MODERATE/MEDIUM→5.5, LOW→2.0, NONE→0.0

When no severity information is available, deny is used.