Open tsteenbe opened 1 year ago
tsteenbe
commented
1 year ago Note that the SCANOSS API also can provide export control and health metrics - although interesting I propose we do not include these in the first iteration of this new advisor.
sschuberth
commented
1 year ago Where does the raw vulnerability data in SCANOSS come from @juliancoccia? It would only really make sense for us to add a SCANOSS advisor if it'd cover sources not already covered by OSV or VulnerableCode.
juliancoccia
commented
1 year ago Our sources are OSV and NVD and we have a team of curators maintaining PURL->CPE relationships daily. This dataset is made available as open data:
https://github.com/scanoss/purl2cpe
Moreover, our curators also connect PURL <-> PURL which allows you to find vulnerabilities (and other layers of data) regardless of which PURL (from which repo) you use to query the API.
SCANOSS has a GRPC Vulnerability API which supports querying by package url (PURL) and including code repository package url. This makes it a very useful provider for C/C++ projects who know which OSS they use and want to know if there any known vulnerabilities
Example vulnerability query using SCANOSS python client
Vulnerability API is a bit hidden in their scanoss-py https://github.com/scanoss/scanoss.py/blob/main/src/scanoss/scanossgrpc.py#L253. Have spoken to @juliancoccia and he have a big 👍 for us to create a SCANOSS provider.
Below a ORT-based vulnerability process we were thinking of:
orth create-analyzer-result-from-package-list -i "$c-c++_project_file" --ort-file analyzer-result.json --config "$HOME/.ort/config/config.yml". Package list must have package urls for each dependency