Open pombredanne opened 2 weeks ago
@TG1999 @tdruez @keshav-space input welcomed!
The benefits is that a simple API call will return all the needed data, but there are no complex inlining or nesting of the data.
@pombredanne The new structure looks fine. I would suggest that we introduce a new endpoint for now instead of a full API v2.
Also, the vulnerabilities
should be a mapping by VCID to make it easier on the client to consume the data.
We could get the vulnerabilities section this way then:
vulnerabilities_by_id:
VCID-18z2-2yw1-aaaj:
vulnerability_id: VCID-18z2-2yw1-aaaj
aliases:
- CVE-2010-2263
summary: Vulnerabilities with Windows file default stream
severities: []
weaknesses: []
references:
- url: https://nvd.nist.gov/vuln/detail/CVE-2010-2263
reference_type:
reference_id: CVE-2010-2263
VCID-1dsf-ryt7-aaan:
vulnerability_id: VCID-1dsf-ryt7-aaan
aliases:
- CVE-2000-0913
summary: 'The Rewrite module, mod_rewrite, can allow access to any file on the web server.
The vulnerability occurs only with certain specific cases of using regular expression
references in RewriteRule directives: If the destination of a RewriteRule contains regular
expression references then an attacker will be able to access any file on the server.'
severities:
- score: important
scoring_system: apache_httpd
scoring_elements:
published_at:
reference:
url: https://httpd.apache.org/security/json/CVE-2000-0913.json
reference_type:
reference_id: CVE-2000-0913
weaknesses: []
references:
- url: https://httpd.apache.org/security/json/CVE-2000-0913.json
reference_type:
reference_id: CVE-2000-0913
I've noticed that the weaknesses
data is available in the /api/vulnerabilities/
details endpoint but not in the packages
one. This is problematic for data collection through the API.
Make sure to include it in this new endpoint implementation.
I suggest we simplify and evolve the API to a version 2 that would return this data shape, when querying the packages/ endpoint for one or more PURLs.
We would enable filters based on PURL components and whole PURLs, as well as "affected by" or "fixing" VCID. This would replace all the packages/ endpoints, and would privilege the primary use case: lookup by PURL.
When querying the vulnerabilities/ endpoint for one or more VCID, we would return the "vulnerabilities" section above. We could enable a filter based on an exact alias value, like a CPE or keep it as a separate endpoint. This would otherwise replace all endpoints on vulnerabilities/ as the main endpoint is packages/