Add support for Microsoft vulnerabilities and CVRF

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

https://public.vulnerablecode.io

Apache License 2.0

543 stars 201 forks source link

Add support for Microsoft vulnerabilities and CVRF #41

Open pombredanne opened 5 years ago

pombredanne commented 5 years ago

MSFT releases their vulnerabilities using this CVRF format https://www.icasi.org/cvrf/

See https://github.com/Microsoft/MSRC-Microsoft-Security-Updates-API for details

@mschiffm https://github.com/mschiffm/cvrfparse is a library to likely handle this alright

pombredanne commented 5 years ago

See also the updated pointers for CVRF in https://github.com/nexB/vulnerablecode/issues/62#issuecomment-535420939

sbs2001 commented 4 years ago

These are closed source vulnerabilities, isn't that out of scope of vulnerablecode ?

haikoschol commented 4 years ago

Microsoft ships quite a bit of OSS code these days. Having said that, I don't know whether this feed makes sense for VulnerableCode. Someone needs to do the research on it. :)

sbs2001 commented 4 years ago

The data from the CVRF is basically https://portal.msrc.microsoft.com/en-us/security-guidance , majority of the vulnerabilities are of closed source Microsoft products like IE, Paint ,Windows etc. The only value these have are about .net vulnerabilities.

pombredanne commented 1 year ago

There is value in these after all. See ttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41032 It has unique information on affected NuGet versions that are not available elsewhere.