fosstars-rating-core icon indicating copy to clipboard operation
fosstars-rating-core copied to clipboard

Published 20 hours ago verified publisher icon SAP

Make VulnerabilitiesFromGitHubAdvisories great

Open sourabhsparkala opened this issue 4 years ago • 0 comments

VulnerabilitiesFromGitHubAdvisories is not a full-fledge DataProvider

The above Data provider does not handle all the PackageManagers. Also, it doesn't recursively parse through all the types of PackageManagers config files

  • pom.xml for MAVEN
  • build.gradle for GRADLE
  • package-lock.json and package.json for NPM
  • yarn.lock and package.json for YARN
  • .csproj, .vbproj, .vcxproj, .fsproj, packages.config and .nuspec for DOTNET
  • Gemfile.lock, Gemfile and .gemspec for RUBYGEMS
  • composer.json and composer.lock for COMPOSER

Hence, we need to generalize how VulnerabilitiesFromGitHubAdvisories is looking for config files and extracting the project identifier

E.g: ecosystem MAVEN and identifier com.fasterxml.jackson.core:jackson-databind for GitHub project FasterXML/jackson-databind

Things to do

  • [ ] Recursively find all the possible config files associated with the PackageManagers
  • [ ] Parse through them to get the identifier
  • [ ] Make sure that the recursive search also finds identifiers of its sub-modules and sub-projects
  • [ ] The Data Provider must return all possible advisories for all the identifiers found

sourabhsparkala avatar Apr 27 '20 09:04 sourabhsparkala