fabnguess
commented
7 months ago Hi @fraxken and @PierreDemailly . I'd like to make sure that I haven't misinterpreted this issue. Its purpose is to call the NIST vulnerability API for each package in the current project in order to detect any known vulnerabilities in them? Below, I present my attempted approach to this subject.
async function getVulnerability(dependency) {
const response = await fetch(
`https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=${dependency}`, { headers });
return response.json();
}
const vulnerability = await strategy.getVulnerability("@nodesecure/i18n");
console.log(vulnerability)
fraxken
Add a new strategy to support NVD: https://nvd.nist.gov/
The API has a ratelimit but an API key can be requested here
Maybe we need to somehow thinks how to design this given API (We can take inspiration from nodejs-dependency-vuln-assessments