grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

Add RustSec DB source

Open wagoodman opened this issue 3 years ago • 4 comments

Add the ability to match rust crates against the RustSec DB https://github.com/rustsec/advisory-db

wagoodman avatar Dec 10 '21 18:12 wagoodman

@wagoodman, there is also https://github.com/google/osv which aggregates all of these sources using a common schema

westonsteimel avatar Dec 10 '21 19:12 westonsteimel

So how do we actually go about adding new data sources for grype? Is the existing process documented somewhere?

westonsteimel avatar Jan 01 '22 09:01 westonsteimel

~~Ah, so would it be somewhere in https://github.com/anchore/anchore-engine/tree/master/anchore_engine/services/policy_engine/engine/feeds?~~

No, I guess these are the legacy ones

westonsteimel avatar Jan 12 '22 10:01 westonsteimel

Hello, RustSec advisory DB maintainer here :wave:

RustSec uses a custom TOML-based format, but we also provide all advisories in the OSV format in real time. So if you support OSV already, supporting RustSec should be very easy. You can get the advisory data from Google's API or straight from our git repo.

RustSec uses SemVer precedence rules so matching should be quite straightforward.

Please let me know if you have any questions, run into any issues, etc.

Shnatsel avatar Aug 04 '22 22:08 Shnatsel