Open stevespringett opened 4 years ago
VulnerableCode's API takes PURLs, but unfortunately no batch requests yet, see https://github.com/nexB/vulnerablecode/issues/284.
@stevespringett just curious, what is the difference between vulnerability intelligence
and vulnerability aggregation
? I'm referring to the nice diagram you have at the README.
@sbs2001 Vulnerability intelligence refers to the source of information such as the NVD, OSS Index, or VulnDB.
Vulnerability aggregation and correlation is about combining vulnerability information from the things that I'm monitoring and from multiple different sources into a unified view of risk. So platforms like ThreadFix can all take input from different security tools and aggregate and correlate findings. For example, a static analysis scanner finds a vulnerability in code, and a dynamic analysis scanner finds the vulnerability by attacking the running application. These findings can be aggregated to a single platform and deduplicated. Its a common and best practice to centralize all security findings for the things that you build or monitor. Multiple vulnerability aggregation platforms integrate with Dependency-Track so that these platforms can include opensource and third-party component risk.
VulnerableCode may be able to be as an additional source of vulnerability intelligence.
If an org uses VulnerableCode and has the webserver running, the API could be used by Dependency-Track during analysis.
SPIKE: Need to determine if PURL or CPE is supported in API, and if not, what other pieces of data it needs. Also need to investigate response to ensure the necessary fields are there to support it as a source.
https://github.com/nexB/vulnerablecode