CRAVEX: Vulnerability Lookup and base app

nexB / dejacode

Automate open source license compliance and ensure software supply chain integrity

https://dejacode.readthedocs.io

GNU Affero General Public License v3.0

18 stars 7 forks source link

CRAVEX: Vulnerability Lookup and base app #94

Open pombredanne opened 2 months ago

pombredanne commented 2 months ago

We should createc a base Vulnerability application management in DejaCode with these features:

[ ] CRAVEX: Create a scheduler for vulnerability lookups that will lookup in VCIO
[ ] CRAVEX: Store vulnerability lookups in a set of database models.

DennisClark commented 1 month ago

@pombredanne I would like to assign this one to Ziad but cannot see him on the Assignees list. Any suggestions please?

DennisClark commented 2 weeks ago

See https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/models.py and design the appropriate mapping to DejaCode.

DennisClark commented 2 weeks ago

A "scheduler" is a fairly new concept/feature for DejaCode. We need to determine if there is a usable Django library to facilitate creating such a feature. As a working start, let's consider a new section of the DejaCode admin Dashboard, right under the "Imports" section, called "Scheduler" (or similar), that has an initial option for "Refresh Vulnerabilities" (or similar) where the admin user can define the frequency and scope of the vulnerability refresh process to be run on an automatic basis.

Assumption: the basic scope of the vulnerability lookup is to find vulnerabilities associated with Packages and Components currently defined in the relevant DejaCode dataspace. This could be further refined to include only those that are assigned to a Product in that dataspace.

The scheduler should also include a task to update Components defined in the relevant dataspace with CPE values as those become available.

DennisClark commented 2 weeks ago

The proposed vulnerability model in DejaCode should be designed to support queries such as:

a filter-enabled list of all the Versions of a Component Name currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
a filter-enabled list of all the Versions of a Package currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
a filter-enabled list of all the Versions of a Product currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
for a Vulnerability (using the same ID as VulnerableCode), provide a filter-enabled list of all packages or components in the relevant dataspace that are associated with it
for a Vulnerability (using the same ID as VulnerableCode), provide a filter-enabled list of all products in the relevant dataspace that are impacted by it
and others to be identified of course