Use github advisories as a source instead of NVD

[javixeneize]

Hi

There are lots of false positives in Dependency check because of the data pulled from NVD. I have been querying NVD database and it is a nightmare to try to flag a vulnerability against a given library and version, i think this is the root cause for the false positives.

My recommendation is to use github advisories as the database source (if the license of the database allows you to do that). This data is much more clean and reliable and i think false positives will disappear, making this a much better tool.

Thanks

[mprins]

@javixeneize Please point us to comprehensive documentation on using the github advisories as a source of thruth.

[javixeneize]

Sure. Here is the documentation for the graphql API

https://docs.github.com/en/graphql/reference/objects#securityadvisory

Some other documentation:

https://github.com/github/advisory-database

And an issue i did open there to see if a database can be built instead of querying the API for each library - https://github.com/github/advisory-database/issues/30

I am building a SCA tool (Python) using those advisories as a source, and it is working quite well. If you consider to rewrite dependency check in python using github advisories, i will be pleased to take part on it :)

[jeremylong]

This has been on my list of things todo. However, it would not be a re-write - rather an additional source that could help reduce the FP rate. I do not think we would completely abandon the current search mechanism - just reduce its usage some. I'm still determining a plan around this (and other datasources).

A couple of other database include:

• https://github.com/pypa/advisory-database
• https://github.com/rubysec/ruby-advisory-db (instead of relying on bundler)

[javixeneize]

yeah, i agree, the problem is with java mainly, i havent seen the same issue in other technologies. I am not good in java, but if you need a hand to do it in python, count on me!