Open prabhu opened 4 years ago
@prabhu Is this feature still desired? I am looking at how to implement this and here are my thoughts:
prepare_vex
method, this loop is iterating over the findings. In this loop, each finding should have its year inspected and a variable will keep track of the oldest year. An INFO message will be printed to console after the loop completes, assuming that the recommended year (previous year) != NVD_START_YEAR
.GHSA-jg7w-cxjv-98c2
, which isn't helpful for determining the date. Please let me know your thoughts on GitHub vulnerability year determination.Please provide any feedback regarding this overall approach if this feature is still desired. Also, what would you want to see updated in the docs for this?
@timmyteo, Thank you for looking into this. It is a very clever idea to use the CVE ID to infer the year, which could usually be enough—I'm looking forward to seeing this feature!
Currently,
NVD_START_YEAR
is configurable with a default value of 2018. The tool should recommend a start year based on the oldest CVE found. If a CVE belonging to the year 2018 is found then the scan should recommend a re-scan with start year of 2017 (Previous year)This can be implemented in the analysis module.
Docs should be updated based on the recommendation.