Possible collaboration on BEAM advisory repo

dependabot / elixir-security-advisories

Old database of Elixir security advisories before the GitHub Security Advisory DB supported Hex / Elixir.

Other

149 stars 9 forks source link

Possible collaboration on BEAM advisory repo #21

Closed voltone closed 2 years ago

voltone commented 4 years ago

Within the Security WG of the Erlang Ecosystem Foundation there has been some discussion around the need for a BEAM security advisory repository. This repo seems to serve a similar goal, though the name suggests it is limited to Elixir-related advisories.

Would you be interested in discussing possible collaboration to establish such a repository?

Some of the goals I would like to consider include:

Support for any Hex package, not limited to Elixir (possibly with support for Hex repos other than hex.pm)
Coverage for standard library applications (Elixir's, Erlang's, and possible others); for instance, vulnerabilities related to the :ssl or :crypto applications from OTP could be tracked
Reliable mapping from purl (see also hexpm/specifications#27); this should allow services such as Sonatype's OSS Index to ingest the data, as an aggregator for other tools/services

greysteil commented 4 years ago

@voltone very happy to collaborate. I started this repo because there wasn't a community database for Hex packages and I needed one to power Dependabot's security features. Since Dependabot has been acquired (by GitHub) I can only do minimal maintenance on the repo, and one of my intentions at GitHub is to build out the GitHub Advisory Database to fully replace it (we'll need Elixir support there for a start).

Cc @infin8x (the GitHub PM responsible for the Advisory DB).

greysteil commented 4 years ago

Happy to make pragmatic changes to the format on this DB in the short term, to add additional maintainers, etc.

voltone commented 4 years ago

Thanks @greysteil, having Elixir (and Erlang!) support in the GitHub Advisory DB would be great, of course.

Are you aware of any (public or private) tools that currently rely on this repo? I believe sobelow still uses a hardcoded list of known vulnerabilities.

How can we bring you into the discussion over at the EEF Security WG mailing list? I sent you a message on Keybase, would that work?

jeffwidman commented 2 years ago

The GitHub Advisory DB now supports Hex: https://github.blog/2022-06-27-github-advisory-database-now-supports-erlang-and-elixir-packages/

I'm not very familiar with the BEAM ecosystem, but at first glance it seems that this resolves the general spirit of this issue.

As an aside, the purl related footnote is a much broader conversation. It's something that is very much on the radar of the broader supply chain org at GitHub, but has both pros/cons so no real consensus on things yet.