drpaneas
commented
3 months ago Hello @Mangaal thanks for the report. I am not actively working on it atm, so if you are in hurry for this, I would gladly review your PR. The proposed solution sounds good to me and it's a very easy fix ;)
Mangaal
Description:
The goguard project currently encounters an error when trying to check for vulnerabilities using the NVD API. The API endpoint URL is hardcoded to use version 1.0, which is no longer functional. The NVD API has been updated to version 2.0, and we need to adapt the project accordingly. I propose enhancing the project by allowing the API endpoint URL to be set via an environment variable. This change will make the project more flexible.
Current Behavior:
When running goguard with the command:
./goguard cve https://github.com/user/repo CVE-2021-4238The following error occurs:
Error: error decoding response: invalid character '<' looking for beginning of valueCVE ID not found in NVD databaseThe error is caused by the NVD API URL being hardcoded, which leads to issues when the API changes.
Proposed Solution:
Modify the code to allow the NVD API URL to be set via an environment variable. If the environment variable is not set, fall back to the default URL. This will involve changing the function checkIfCVExists to read the URL from an environment variable.
Reference to NVD API Changes:
According to the NVD API documentation, the API endpoints and data formats are subject to change. It is crucial to have a flexible configuration to accommodate these changes without requiring code modifications.