wishlist: machine readable current vulnerabilities report tailored per repo

[jrmarino]

Hi Dmitry, You might already have something like this in mind but just in case, let me lay out the background then the actual request.

So Ravenport currently uses a patched version of FreeBSD's pkg(8) for package management. It's been given us problems especially on Linux so I'm in the process of rewriting it (in Ada but that isn't relevant). One feature I had eliminated from both the patched pkg and the new implementation is the vulnerabilities report features because I didn't have that vulnerabilities xml file nor the manpower to generate one. But repology might be the solution to this.

If there was an URL on the repology website that would produce a report say in json format that listed all the active CVEs on the supported version in ravenports, our package manager could read that and have that vulnerability information I didn't think we could have.

I don't think it needs to include obsolete CVEs. SO for example, the last I checked, ravenports had 52 packages marked as vulnerable. So this proposed report would list those 52, the active CVEs for each, and perhaps a one line title/summary for each cve).

Do you think that would be possible? I would imagine several other repository owners would find that useful somehow.

John

[AMDmi3]

Sure, I do already have this in mind for the site (see #135), it would be easy to implement new API endpoints along the way. Some more info for CVEs need to be stored, but that not a problem.

[jrmarino]

I'd like to cycle back to this. As I recall, currently there's no way repology knows if the CVE was patched (unless something has changed). I was thinking indications of CVE patching can be added to the file that the repology parses to solve that.

For Ravenports, though, if we got the list of current vulnerabilities, we can track which CVE's were patched and filter those out. I'm once again making good progress to replace "pkg" with our own package manager and I'd love to be able to implement the audit feature using repology.

So if want Repology to list patched CVEs for the parser we can do that, but it's not a dealbreaker since we can filter on the other side.

[jrmarino]

Hi Dmitry, Do you think this will happen? At a minimum the report should:

• be output in json
• Include the projects with at least one active vulnerability
• For each project, list the active CVEs

For my part, if Ravenports patches the CVE I can add this information the repology.json file so you could implement the ability to adjust vulnerability reports with reported patching of CVEs. I think that was on your wish list ...

[AMDmi3]

Well I do not plan to work on this in near future.

[jrmarino]

well, ok, I'll work on a solution that doesn't involve repology then.