DongTai icon indicating copy to clipboard operation
DongTai copied to clipboard
verified publisher icon HXSecurity

[Feature]: 开源组件检测知识库

Open yingshang opened this issue 4 years ago • 2 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

实际运行洞态组件检测功能发现,组件漏洞信息存在滞后性和不准确性。 1247faccb77ce77e56033886ccd835c e0948391ebb7994c2a266cb23983d81

Proposed Solution

解决思路:通过洞态识别出来组件版本,去maven识别存在那些漏洞,加上本地调用nvd库识别,这样就减少很多工作量,并且组件时效得到保证。 f1fa2ce4740fcad5391e68dc922682b nvd库

def nvd_download():
    for i  in range(2002,2022):
        url = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-{}.json.gz".format(i)
        r = requests.get(url=url)
        pathname = os.path.join("/opt/vul",url.split("/")[-1])
        with open(pathname,"wb") as f:
            f.write(r.content)
            f.close()

可以参考dependency check 扫描jar包的思路。 image

Alternatives Considered

No response

Additional Information

No response

yingshang avatar Jan 05 '22 07:01 yingshang

可以参考这个项目:https://github.com/cve-search/cve-search

yingshang avatar Jan 07 '22 07:01 yingshang

感谢大佬反馈,我们会在新的版本中把这些数据加进去

luzhongyang avatar Jan 11 '22 02:01 luzhongyang