Adds environment variable to exclude osv malware feeds (#192)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

Author: prabhu

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "5.7.5"
+version = "5.7.6"
 description = "AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},

vdb/lib/osv.py

@@ -3,6 +3,7 @@
 
 This module fetches the vulnerability data from osv.dev and stores them in NVD CVE 1.1 json format.
 """
+import os
 from zipfile import ZipFile
 
 import httpx
@@ -121,6 +122,9 @@ def to_vuln(self, cve_data):
         references = json_lib.dumps(references)
         if isinstance(references, bytes):
             references = references.decode("utf-8", "ignore")
+        # Offer an option to ignore malware data to keep the db size small
+        if os.getenv("OSV_EXCLUDE_MALWARE") and cve_id.startswith("MAL"):
+            return ret_data
         # Quality of PYSEC data is quite low missing both severity and score
         # Where a PYSEC feed also reference a github id, let's ignore it since G comes before P
         #   so it would have gotten processed