stevespringett
commented
5 years ago hmmm. So Retire is one project (and only two files), but others include dotnet-retire and I think there's a php thing to.
The value that this project provides is:
- NVD does not have unlimited bandwidth and will throttle or block
- NVD feeds are large so mirroring conserves bandwidth and decreases Dependency-Check execution time
Mirroring Retire (hosted by GitHub) doesn't address these things. GitHub has a ton of bandwidth and does not throttle to my knowledge and the Retire feeds are extremely small. So I don't see any benefit except for orgs that flat-out refuse to allow access to GitHub. But in order to mirror Retire, an org will need to have access to GitHub. Not interested in providing workarounds to an orgs internal policy.
So I guess, I just don't see any reason to expand mirroring functionality to these small feeds. If there's another large feed that's available (similar to NVD for example), that would be something I'd be interested in mirroring (like I do with the vulndb mirror project).
jeremylong
The NIST data mirror is often used in conjunction with dependency-check. Now that dependency-check utilizes RetireJS to analyze JS files - should the data-mirror be updated to also mirror the RetireJS Repository?
The only reason I am posting the question as opposed to just submitting a PR is that this is titled "NIST" data mirror. Thoughts?