search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.23k stars 464 forks source link

GSoC 2022 Idea: Add new datasources for vulnerabilities #1608

Closed anthonyharrison closed 2 years ago

anthonyharrison commented 2 years ago

See GSoC 2022 Start here and GSoC 2022 Ideas

Currently the cve-bin-tool uses the NVD database as its only source of vulnerabilities. However not all vulnerabilities are captured in the NVD and there are other sources which may also be useful in understanding the vulnerability status of a product. One such source is the https://osv.dev although there are many more available.

This project would:

It is likely that the same vulnerabilitiy will be reported in multiple data sources; it is therefore desirable to minimise duplicated reports.

A 175hr project could choose 1 source and work on that. For a 350hr project, I'd definitely want to see an additional source and/or enhanced reporting to ensure that duplicate reports from multiple data sorces are minimised

Hours

175 or 350, scaled depending on how many data sources are considered and whether you want to add enhanced reporting to reduce duplicated reporting of vulnerabilities

Difficulty level

beginner to intermediate

Recommended skills

databases, experience in using published APIs, json

anthonyharrison commented 2 years ago

Hello @xiongnemo This project is loosely reserved for a paid contributor to be selected through the GSoC 2022 process. (open to anyone over 18 who's willing to put in either 175 or 350 hours of paid work through the program). If you wish to work on this idea, please apply through the GSoC program.

Discussion and ideas are fine, but pull requests with actual code are discouraged because we don't want to interfere with applicants who might want to do this idea. There's 100 other issues available, please feel free to solve ones not flagged for gsoc participants!

rhythmrx9 commented 2 years ago

@anthonyharrison I was working on a proposal for this project, but cannot find similar suitable databases like OSV, could you please suggest some more databases that I should consider taking a look at, thanks.

anthonyharrison commented 2 years ago

@rhythmrx9 You could look at GitHub Advisories and Red Hat advisories (and other vendors e.g. Debian) which I think are free to access. There are also some sources which require registration e.g. Microsoft or Sonatype OSS Index in order to get access.

The key is to try and enhance the reporting without duplicating the reporting of the same vulnerability.

terriko commented 2 years ago

Done as part of GSoC 2022, thanks @rhythmrx9 !