Open tudorpopovici1 opened 3 years ago
Get vulnerable deps for a given package name and version for Maven coordinate
SELECT DISTINCT pac2.package_name AS vulnerable_dep
FROM dependencies AS dep,
packages AS pac1,
packages AS pac2,
package_versions AS ver1,
( SELECT package_id as vulid
FROM package_versions,packages
WHERE package_versions.package_id = packages.id AND metadata ? 'vulnerabilities'
) AS vul
WHERE
pac1.id = ver1.id AND
pac1.package_name = 'ai.tock:tock-translator-noop' AND
ver1.version = '0.8.0' AND
dep.dependency_id = vulid AND
vulid = pac2.id;
The following Python program produced the set of vulnerable Fasten URIs in the CVEs in /mnt/fasten/vuln/consumer/lima-statements/
. Results are in src/main/resources/VulnerableUris.txt
.
import json
import os
v_dir = '/mnt/fasten/vuln/consumer/lima-statements/'
o_path = '/home/nmook/output.txt'
for v_filename in os.listdir(v_dir):
# For each file in v_dir, open and load data
v_filepath = os.path.join(v_dir, v_filename)
v_file = open(v_filepath, )
data = json.load(v_file)
# If vulnerable_fasten_uris is non-empty, append contents to output file
if data['vulnerable_fasten_uris'] is not None and len(data['vulnerable_fasten_uris']) > 0:
v_list = data['vulnerable_fasten_uris']
o_file = open('output.txt', 'a')
for f_uri in v_list:
o_file.write(f_uri + '\n')
o_file.close()
v_file.close()