osv.dev Deploy osv.dev on-premise

Hello!

We are looking for an option to delpoy OSVdev on-premise since we are have to run it inside private network with strongly limited internet connection.

Is it possible to do that?

Jul 20 '22 13:07 masterlexa

Hi!

Thanks for filing this issue. We haven't tried, but it's likely not very easy to deploy OSV.dev on-premise.

May we understand your use case a bit more here? What parts of osv.dev do you need? Are you hoping to just use this for vulnerability scanning?

Jul 21 '22 08:07 oliverchang

Hi!

We should check our libraries on vulnerabilities inside our corp network. We can make gateways for updating vulnerability databases, but all requests on scanning should stay in our network. We can't deploy osv.dev in cloud.

Basic plan:

To have actual vulnerability database in our network
To have API for checking our opensource packages
Try to replace owasp dependency check to osv.dev

Jul 21 '22 15:07 masterlexa

I think we can clarify this down to just needing to be able to run a local copy of the data and API endpoint for scanning tools to talk to, not the entire infrastructure.

Oct 18 '22 01:10 andrewpollock

Can you say, when we can get information about deploying with docker-compose for example?

Dec 01 '22 09:12 masterlexa

Or maybe we can't do it, because you use ndb.Client()?

Dec 02 '22 03:12 masterlexa

We were having a conversation about this use case yesterday. Yes, there's a hard dependency on Cloud Datastore, which makes running the OSV.dev infrastructure off-GCP somewhat difficult. There was also possibly interest for this raised in #873 recently as well.

One thought was whether the Datastore Emulator might provide a path forward, but no work has been done to explore this.

Dec 02 '22 03:12 andrewpollock