Feature request: add new language library/package parsers

[terriko]

Our language/library parsers read the meta data out of the package and translate that to a meaningful vendor, product, version tuple that cve-bin-tool can use to scan for vulnerabilities. Currently, we support things like Ruby gems, Python eggs, Java JAR files, etc. (current list here). It would be great to add more.

• Instructions for adding a new package parser to cve-bin-tool
• Examples of other parsers

Looking at this list of popular programming languages you can see that while we cover a lot of the top ones, but definitely not everything. I've already filed requests for perl and php:

• #1978
• #1979 But I'm filing this issue as a generic "add more languages! Any language!" request.

If you know of any language that has packages with enough metadata for us to use, please comment below!

[leomindez]

Hi @terriko I would like to work on this feature. Could you assign it to me? Thanks

[anthonyharrison]

I think c/c++ support using the Conan ecosystem would be a great addition.

[mastersans]

So while going through the list of language packages we support, i thought a great addition would be pubspec.lock of flutter projects (dart) parser, for now the cves relate to dart packages are few but as its popularity grow we can expect more cves being reported, Additionally forks can use it to generate Sboms too, what are your thought @terriko @anthonyharrison ??

[terriko]

@mastersans sounds interesting! File a request for it with as much detail as you have about the format, and if you want to tackle actually implementing it make sure to say so after you do so I can assign it to you!