jeremylong
commented
5 years ago Unless there is an open source version of the vulnerability data - ODC does not have a way of analyzing these things. Unfortunately, at this time ODC uses the NVD as a primary data source (along with the client side JS data from Retire.js). ODC also uses the results of bundle audit for Ruby. Lastly, ODC uses 3rd party hosted solution for some analysis using the same APIs as npm audit for node.js and we have an OSS Index Analyzer that will return results not found in the NVD.
If you know of other open source repositories we can look into including it in our analysis.
I am not able to determine weather to use or not a library plugin in Bitbucket from Third parties, Chrome extensions as I know many of these are vulnerable and have permissions to access clipboard, page source, read directory content and send data to servers in the name of detailed analysis.
If support for vulnerabilities reported by various researchers can be included in the database such that it can analyse the Bitbucket, Outlook Plugins and Chrome extensions, it would be great. A tool for checking the chrome extension is available - https://crxcavator.io/
Cant think of a alternative
Reference: https://snyk.io/blog/cheat-sheet-10-bitbucket-security-best-practices/ https://snyk.io/product/vulnerability-database/ - open source vulnerability database.