List CVE entries for distributions

cpants / www-cpants

cpants tools

Other

21 stars 6 forks source link

List CVE entries for distributions #100

Closed FROGGS closed 1 year ago

FROGGS commented 6 years ago

Would it be possible to list CVEs for the given package and version? This way one could query this information and evaluate that when running CI tests.

I can imagine that this would not be an easy task, for at least these reasons:

There might not be an easy way to find the correct vendor/product in the CVE database.
The CVE scan needs to happen regularly after the release of the package has happened.

charsbar commented 6 years ago

It might be nice, and I suppose it's at least possible because nvd.nist.gov has several vulnerability feeds. However, I'm not sure if it's really worth implementing because I'm afraid it would be fairly rare for CPAN distributions to have their own CVEs. (https://www.cvedetails.com/google-search-results.php?q=cpan shows only 155 results as of this writing.)

reneeb commented 6 years ago

This might be easier now as https://metacpan.org/pod/CPAN::Audit exists.

charsbar commented 1 year ago

Thanks. Done with the help of CPAN::Audit. cf https://cpants.cpanauthors.org/release/BINGOS/Archive-Tar-2.22