search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
519 stars 190 forks source link

RFC: Improve API with a new V2 for packages #1572

Open pombredanne opened 2 weeks ago

pombredanne commented 2 weeks ago

I suggest we simplify and evolve the API to a version 2 that would return this data shape, when querying the packages/ endpoint for one or more PURLs.

We would enable filters based on PURL components and whole PURLs, as well as "affected by" or "fixing" VCID. This would replace all the packages/ endpoints, and would privilege the primary use case: lookup by PURL.

purls:
    - purl: pkg:apache/httpd@1.3.0
      affected_by_vulnerabilities:
        - VCID-2spt-jvsb-aaak
        - VCID-je6z-ydc6-aaap
        - VCID-z4hk-71j3-aaar
      fixing_vulnerabilities: []
      next_non_vulnerable_purl: 
      latest_non_vulnerable_purl: 

    - purl: pkg:apache/httpd@1.3.1
      affected_by_vulnerabilities:
        - VCID-2spt-jvsb-aaak
        - VCID-2wjk-ntty-aaab
        - VCID-9qha-2aq6-aaap
      fixing_vulnerabilities:
        - VCID-2spt-jvsb-aaak
        - VCID-2wjk-ntty-aaab
      next_non_vulnerable_purl: 
      latest_non_vulnerable_purl: 

vulnerabilities:
  - vulnerability_id: VCID-18z2-2yw1-aaaj
    aliases:
      - CVE-2010-2263
    summary: Vulnerabilities with Windows file default stream
    severities: []
    weaknesses: []
    references:
      - url: https://nvd.nist.gov/vuln/detail/CVE-2010-2263
        reference_type:
        reference_id: CVE-2010-2263

  - vulnerability_id: VCID-1dsf-ryt7-aaan
    aliases:
      - CVE-2000-0913
    summary: 'The Rewrite module, mod_rewrite, can allow access to any file on the web server. The
      vulnerability occurs only with certain specific cases of using regular expression references
      in RewriteRule directives: If the destination of a RewriteRule contains regular expression
      references then an attacker will be able to access any file on the server.'
    severities:
      - score: important
        scoring_system: apache_httpd
        scoring_elements:
        published_at:
        reference:
          url: https://httpd.apache.org/security/json/CVE-2000-0913.json
          reference_type:
          reference_id: CVE-2000-0913
    weaknesses: []
    references:
      - url: https://httpd.apache.org/security/json/CVE-2000-0913.json
        reference_type:
        reference_id: CVE-2000-0913

When querying the vulnerabilities/ endpoint for one or more VCID, we would return the "vulnerabilities" section above. We could enable a filter based on an exact alias value, like a CPE or keep it as a separate endpoint. This would otherwise replace all endpoints on vulnerabilities/ as the main endpoint is packages/

pombredanne commented 2 weeks ago

@TG1999 @tdruez @keshav-space input welcomed!

pombredanne commented 2 weeks ago

The benefits is that a simple API call will return all the needed data, but there are no complex inlining or nesting of the data.

tdruez commented 2 weeks ago

@pombredanne The new structure looks fine. I would suggest that we introduce a new endpoint for now instead of a full API v2. Also, the vulnerabilities should be a mapping by VCID to make it easier on the client to consume the data.

pombredanne commented 1 week ago

We could get the vulnerabilities section this way then:

vulnerabilities_by_id:
  VCID-18z2-2yw1-aaaj:
    vulnerability_id: VCID-18z2-2yw1-aaaj
    aliases:
      - CVE-2010-2263
    summary: Vulnerabilities with Windows file default stream
    severities: []
    weaknesses: []
    references:
      - url: https://nvd.nist.gov/vuln/detail/CVE-2010-2263
        reference_type:
        reference_id: CVE-2010-2263
  VCID-1dsf-ryt7-aaan:
    vulnerability_id: VCID-1dsf-ryt7-aaan
    aliases:
      - CVE-2000-0913
    summary: 'The Rewrite module, mod_rewrite, can allow access to any file on the web server.
      The vulnerability occurs only with certain specific cases of using regular expression
      references in RewriteRule directives: If the destination of a RewriteRule contains regular
      expression references then an attacker will be able to access any file on the server.'
    severities:
      - score: important
        scoring_system: apache_httpd
        scoring_elements:
        published_at:
        reference:
          url: https://httpd.apache.org/security/json/CVE-2000-0913.json
          reference_type:
          reference_id: CVE-2000-0913
    weaknesses: []
    references:
      - url: https://httpd.apache.org/security/json/CVE-2000-0913.json
        reference_type:
        reference_id: CVE-2000-0913
tdruez commented 1 week ago

I've noticed that the weaknesses data is available in the /api/vulnerabilities/ details endpoint but not in the packages one. This is problematic for data collection through the API. Make sure to include it in this new endpoint implementation.