antoine-coulon
commented
3 years ago Yeah they do use a specific database for vulnerabilities which is updated on a daily basis. The DB contains a lot of vulnerabilities on OS packages and Language-specific packages. I found out that only few sources such GitHub Advisory Database and GitLab Advisory Database provide NPM related vulnerabilities. Maybe we could do the same thing as we did on SecurityWG strategy and fetch the repository as a DB. I might be able to try that
There is a solution called "trivy" - https://github.com/aquasecurity/trivy
Could be cool to look what is required and if they use a specific database for vulnerabilities. And if there is a way to implement this solution as one of the new strategy for NodeSecure.