search

fasten-project / vulnerability-producer

Gathers, enriches and publishes vulnerability information to a Kafka topic.
https://www.fasten-project.eu/
Apache License 2.0
6 stars 3 forks source link

CPEtoPURL heuristics for Maven and PyPI #47

Closed elanzini closed 3 years ago

elanzini commented 3 years ago

The PurlMapper class handles the logic of this component. There are 3 maps kept cached that support the process:

  1. mavenMap : repo_url -> purl - extracted from pom.xml of entire Maven ecosystem
  2. pypiMap : repo_url -> purl - extracted from PyPI json API of entire PyPI ecosystem
  3. cpeMap: cpe_base -> repo_url - extracted from NVD CPE dictionary

This allows us to guess in two cases:

  1. We know the base_repo of the vulnerability and we can find it in the maps
  2. We know the CPEs of the vulnerability and we can find an intersection between cpeMap & (pypiMap | mavenMap)

A special treatment is given to the apache projects, which are heuristically assumed to follow this rule of thumb: org.apache.<project>:<project>.