monorepo icon indicating copy to clipboard operation
monorepo copied to clipboard

Published 20 hours ago verified publisher icon verdaccio

Local caching of vulnerabilities

Open bufferoverflow opened this issue 6 years ago • 11 comments

Node security wg is planning to create a dedicated repo for the known vulnerabilities, see https://github.com/nodejs/security-wg/issues/359#issuecomment-410079404

Using that sources instead of redirecting to upstream npm could be a nice option for verdaccio-audit.

bufferoverflow avatar Aug 02 '18 22:08 bufferoverflow

Thanks @bufferoverflow for let me know 👍

juanpicado avatar Aug 03 '18 09:08 juanpicado

@bufferoverflow do you know how to proceed with this? I'm a bit outdated.

juanpicado avatar Jan 09 '19 20:01 juanpicado

I'm also interrested by this, because I'm using dependency-check ... And it .. spam the audit api ...

As I'm understanding, you need to clone the repo ( or add it in dependency, but package.json version seems not updated ) .

After :

  • read files in the core folder to search vulnerabilities with the nodejs version ( but maybe not appropriate for audit api ).
  • read files in /ecosystem/<dependency>/ and get the vulnerable_versions in the json, compare it with the received version ( I didn't really know what npm send to audit api ) .

The problem, will maybe the need of git ( to install the repo ) .

thib3113 avatar May 10 '19 08:05 thib3113

I guess we have to wait until https://github.com/nodejs/security-advisories is shipped as a npm package or on a web site.

bufferoverflow avatar May 10 '19 16:05 bufferoverflow

@bufferoverflow not sure a npm package was a good idea .

Maybe better to do :

  • use github api to check if update each 4 (?) hours
  • if update, update local database ( clone/"download archive" in a local folder )

It's what do dependency-check with NVD database ( if database is some hours old, it update it ) .

I'm not sure they want to do a website with an api for this, I thin they just want to do a website to search a vulnerability, or a package to see if it contain vulnerabilities and wich version

thib3113 avatar May 10 '19 16:05 thib3113

@thib3113 valid points, worth to do!

bufferoverflow avatar May 10 '19 16:05 bufferoverflow

@bufferoverflow I've just checking a little this way ( before answering on this thread ) . And, I think I didn't have the time to do it, but this can be usefull for you :

  • github api to get last master commit : https://api.github.com/repos/nodejs/security-advisories/commits/master
  • url to download the zip : https://github.com/nodejs/security-advisories/archive/master.zip

thib3113 avatar May 10 '19 17:05 thib3113

Not sure but http://registry.npmjs.com/-/v1/search?text=is:insecure&size=250 seems to contain all advisories.

DanielRuf avatar Jun 04 '19 08:06 DanielRuf

https://github.com/nodejs/security-advisories/archive/master.tar.gz would be probably better to save some bandwidth.

DanielRuf avatar Jun 04 '19 08:06 DanielRuf

@DanielRuf yes, It's what I said ( about the master.tar.gz ... just with a .zip )

thib3113 avatar Jun 04 '19 08:06 thib3113

Just got blocked by npm completely on a CI b/c of the stupid audit API of them... . Having this use the current db and downloading it, or at least caching the result for some time is something that needs to be added. Will see if I can put some time into this...

wzrdtales avatar May 29 '20 09:05 wzrdtales