vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard

Published 20 hours ago verified publisher icon nexB

Add support for Microsoft vulnerabilities and CVRF

Open pombredanne opened this issue 5 years ago • 5 comments

MSFT releases their vulnerabilities using this CVRF format https://www.icasi.org/cvrf/

See https://github.com/Microsoft/MSRC-Microsoft-Security-Updates-API for details

@mschiffm https://github.com/mschiffm/cvrfparse is a library to likely handle this alright

pombredanne avatar Apr 04 '19 10:04 pombredanne

See also the updated pointers for CVRF in https://github.com/nexB/vulnerablecode/issues/62#issuecomment-535420939

pombredanne avatar Sep 26 '19 09:09 pombredanne

These are closed source vulnerabilities, isn't that out of scope of vulnerablecode ?

sbs2001 avatar Mar 23 '20 11:03 sbs2001

Microsoft ships quite a bit of OSS code these days. Having said that, I don't know whether this feed makes sense for VulnerableCode. Someone needs to do the research on it. :)

haikoschol avatar Mar 29 '20 18:03 haikoschol

The data from the CVRF is basically https://portal.msrc.microsoft.com/en-us/security-guidance , majority of the vulnerabilities are of closed source Microsoft products like IE, Paint ,Windows etc. The only value these have are about .net vulnerabilities.

sbs2001 avatar May 23 '20 09:05 sbs2001

There is value in these after all. See ttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41032 It has unique information on affected NuGet versions that are not available elsewhere.

pombredanne avatar Nov 30 '22 22:11 pombredanne