sschuberth
commented
3 years ago VulnerableCode's API takes PURLs, but unfortunately no batch requests yet, see https://github.com/nexB/vulnerablecode/issues/284.
Open stevespringett opened 4 years ago
sschuberth
commented
3 years ago VulnerableCode's API takes PURLs, but unfortunately no batch requests yet, see https://github.com/nexB/vulnerablecode/issues/284.
sbs2001
commented
3 years ago @stevespringett just curious, what is the difference between vulnerability intelligence and vulnerability aggregation ? I'm referring to the nice diagram you have at the README.
stevespringett
commented
3 years ago @sbs2001 Vulnerability intelligence refers to the source of information such as the NVD, OSS Index, or VulnDB.
Vulnerability aggregation and correlation is about combining vulnerability information from the things that I'm monitoring and from multiple different sources into a unified view of risk. So platforms like ThreadFix can all take input from different security tools and aggregate and correlate findings. For example, a static analysis scanner finds a vulnerability in code, and a dynamic analysis scanner finds the vulnerability by attacking the running application. These findings can be aggregated to a single platform and deduplicated. Its a common and best practice to centralize all security findings for the things that you build or monitor. Multiple vulnerability aggregation platforms integrate with Dependency-Track so that these platforms can include opensource and third-party component risk.
VulnerableCode may be able to be as an additional source of vulnerability intelligence.
If an org uses VulnerableCode and has the webserver running, the API could be used by Dependency-Track during analysis.
SPIKE: Need to determine if PURL or CPE is supported in API, and if not, what other pieces of data it needs. Also need to investigate response to ensure the necessary fields are there to support it as a source.
https://github.com/nexB/vulnerablecode