Open hohwille opened 3 weeks ago
I was doing some more research and came to the impression that the official CVE-DB is designed like a "blockchain": Some large monolithic monster designed to only grow and grow.
There seems to be no existing (free) service to get only the CVEs for a dedicated tool (by CPE).
Since the CVE-DB is very big and we only need less than 1% of that data, it seems waste to make every of our users to download that DB and keep it up-to-date.
I would still like someone to take this story and do an analysis. But if that confirms my concerns, we should stay with the initial approach: We should add ALL CVEs of a tool to its security.json
file then. The user/project could configure some priority threshold for the warnings of these CVEs he gets at runtime when using IDEasy.
With story #103 we want to have security checking to warn users before a tool installation as well as after that if a tool with critical CVEs is used/installed and if detected before installation the user shall be asked for confirmation.
We already implemented a lot of this with PR #119 and then created story #190 with some concerns and improvements. In the end we came to discussions that questioned the entire approach.
With this story we want to do a PoC/MVP on an alternative approach:
We implement a direct check of a tool with
«tool»
+«edition»
+«version»
. That most probably needs additional information that PR #119 added to URLUpdaters but would then be needed directly inToolCommandlet
. Example from maven:org.owasp:dependency-check-core
) that we need to implement this CVE check. If that happens inside IDEasy we must ensure that the CVE-DB is reused across multiple projects. Either the tool already creates this in a hidden folder of the users home directory or we can specify a directory so the data would be written somewhere inIDE_ROOT
.Things to analyze: