Philippe Ombredanne
Philippe Ombredanne
https://github.com/nexB/scancode-toolkit/blob/04e24e0c7edccaa27ad2cf495e15abb849a922c9/src/licensedcode/data/rules/boost-original_3.RULE is not really the same as boost-original as this is does not have the requirements to include the license in all copies as in the https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/boost-original.LICENSE
There are many problems derived from supporting native Windows: since we are dealing with a lot of lower level paths and files and bytes handling we are exposed to many...
For instance docker://redhat/ubi8:8.9-1160-source contains about 140 source RPMs that are just named after their SHA256 as in "cc150f5198bc818e1807b9985468047ec7c509654bdfd806a65a2b5081fafd00" and are not detected as RPMs (nor extracted)
It would be great to optimize resources usage. In particular, these are the likely key hot spots: - memory as used in license detection (was typically 0.8 GB now closer...
https://github.com/nexB/vulnerablecode/pull/782 added support for the NVD importer, but other importers have this information too and should be enhanced to report it.
There is new 'raw' public data from Apache: - an index at https://cveprocess.apache.org/publicjson - individual vulnerabilities at e.g., https://cveprocess.apache.org/publicjson/CVE-2020-17513 The detail files are in CVE-json v4.0 or v5.0 format depending...
In some case it may be possible to infer new package URLs from collected references. In this [CVE-2014-1904.pdf](https://github.com/nexB/vulnerablecode/files/5895902/CVE-2014-1904.pdf) we have these: - https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485 - https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58 - https://github.com/spring-projects/spring-framework.git/741b4b229ae032bd17175b46f98673ce0bd2d485 - https://github.com/spring-projects/spring-framework.git/75e08695a04980dbceae6789364717e9d8764d58 1....
We should extract interesting data from CVE and other vulnerabilities body. This is based on this research https://rp.os3.nl/2020-2021/p06/report.pdf and https://rp.os3.nl/2020-2021/p06/presentation.pdf by Bart van Dongen and @armijnhemel See also for related...
We should extract unpublished vulnerabilities from commit histories and issue trackers - [ ] Parse issues and trackers such as github issues. See https://github.com/nexB/vulnerablecode/issues/251 - [ ] Parse CHANGELOGs. See...
This would be useful and this is not trivial as there is no proper feed for these. - We can instead work from GitHub PURLs that hosts the majority of...