vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

VulnerableCode Insights

Open Hritik14 opened this issue 2 years ago • 6 comments

Q: How do I believe vulnerablecode has enough (sane) data for me to use ? A: Here are some insights.

This project aims to provide insights in such a way that the user could be convinced of the effectiveness of VulnerableCode. Eventually, it might even have some overlap with VulnTotal as well.

Please share your ideas on what should go in an insight.

Hritik14 avatar Aug 22 '23 17:08 Hritik14

Current experimental dashboard: vulnerable-code-insights-2023-08-22T15-45-40 626Z

Hritik14 avatar Aug 22 '23 17:08 Hritik14

Related: https://github.com/nexB/vulnerablecode/issues/1258

Hritik14 avatar Aug 22 '23 17:08 Hritik14

Current experimental dashboard

A few things that I can think of:

  • use different names instead of the name of the importer, but some pretty printed name
  • clarify (maybe in some extra documentation or a tooltip?) if there is overlap between the importers, or how many of the vulnerabilities are unique, if this is easy to determine (it might not be). I could imagine that there are vulnerabilities that have been reported in one source but which do not have an associated CVE. That would potentially be interesting information.
  • for CVE data it could be interesting to split per severity, per year, per ecosystem (embedded Linux, Windows, Java, etc.), per reference (for example: has it been reported for RHEL, Maven, Debian, etc. as well?)

The reasoning behind my comments: personally I don't want to wade through a lot of data, unless I feel bored. Instead, I want to get to the interesting bits as soon as possible, because someone might be breathing down my neck ("ARE WE VULNERABLE?!?") and I need to have access to the information as quickly as possible.

armijnhemel avatar Aug 28 '23 17:08 armijnhemel

When ranking the importers it would be good to add row numbers. I now had to manually count to see that there are 26 importers.

armijnhemel avatar Aug 28 '23 18:08 armijnhemel

perhaps add some tooltips or an information window with extra information about the importer, such as:

  • short description of the importer. This seems to be missing in the code itself and it might be good to add it there. As an example, right now "ProjectKBMSRImporter" does not give me any details about whether or not this is a data source I should care about or not.
  • base URL
  • last updated/crawled/fetched
  • which importers were run on top (if this is possible)

armijnhemel avatar Aug 28 '23 18:08 armijnhemel

Dashboard for monitoring the application It can have

  • Status of each importer
  • How many advisories are processed each day by the importers
  • Failed imports
  • etc.....

TG1999 avatar Jan 23 '24 17:01 TG1999