[v6] Identifying c/c++ libraries and projects

[prabhu]

We need a poc to experiment with better identification for c/c++ libraries with vulnerabilities.

With a local vuln-list repo, I am getting good hits from inside the NVD directory.

find . -name "*.json" -exec jq -c ".descriptions[].value" {} \; | rg '\.(c|cpp|h|hpp) '

We can build up a list of known vulnerable c/c++ libraries by collecting the various git and svn URLs from the references for those CVEs that refer to a .c/c++ code in the description (Low precision). We can then augment this list by looking for similar URLs in the NVD CPE feeds.

https://nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz

To improve precision, we may have to add more repos and CVEs to our data set manually.