Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wishlist: machine readable current vulnerabilities report tailored per repo #137

Open
jrmarino opened this issue Jun 12, 2020 · 5 comments
Open

wishlist: machine readable current vulnerabilities report tailored per repo #137

jrmarino opened this issue Jun 12, 2020 · 5 comments
Labels
API

Comments

@jrmarino
Copy link
Contributor

Hi Dmitry,
You might already have something like this in mind but just in case, let me lay out the background then the actual request.

So Ravenport currently uses a patched version of FreeBSD's pkg(8) for package management. It's been given us problems especially on Linux so I'm in the process of rewriting it (in Ada but that isn't relevant). One feature I had eliminated from both the patched pkg and the new implementation is the vulnerabilities report features because I didn't have that vulnerabilities xml file nor the manpower to generate one. But repology might be the solution to this.

If there was an URL on the repology website that would produce a report say in json format that listed all the active CVEs on the supported version in ravenports, our package manager could read that and have that vulnerability information I didn't think we could have.

I don't think it needs to include obsolete CVEs.
SO for example, the last I checked, ravenports had 52 packages marked as vulnerable. So this proposed report would list those 52, the active CVEs for each, and perhaps a one line title/summary for each cve).

Do you think that would be possible? I would imagine several other repository owners would find that useful somehow.

John
@AMDmi3
Copy link
Member

AMDmi3 commented Jun 15, 2020

Sure, I do already have this in mind for the site (see #135), it would be easy to implement new API endpoints along the way. Some more info for CVEs need to be stored, but that not a problem.

@AMDmi3 AMDmi3 added the API label Jun 15, 2020
@jrmarino
Copy link
Contributor Author

I'd like to cycle back to this.
As I recall, currently there's no way repology knows if the CVE was patched (unless something has changed).
I was thinking indications of CVE patching can be added to the file that the repology parses to solve that.

For Ravenports, though, if we got the list of current vulnerabilities, we can track which CVE's were patched and filter those out.
I'm once again making good progress to replace "pkg" with our own package manager and I'd love to be able to implement the audit feature using repology.

So if want Repology to list patched CVEs for the parser we can do that, but it's not a dealbreaker since we can filter on the other side.

@jrmarino
Copy link
Contributor Author

jrmarino commented May 14, 2024
edited
Loading

Hi Dmitry,
Do you think this will happen?
At a minimum the report should:

  • be output in json
  • Include the projects with at least one active vulnerability
  • For each project, list the active CVEs

For my part, if Ravenports patches the CVE I can add this information the repology.json file so you could implement the ability to adjust vulnerability reports with reported patching of CVEs. I think that was on your wish list ...

@AMDmi3
Copy link
Member

AMDmi3 commented May 15, 2024
edited
Loading

Well I do not plan to work on this in near future.

@jrmarino
Copy link
Contributor Author

well, ok, I'll work on a solution that doesn't involve repology then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AMDmi3 @jrmarino