-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Low number of findings compared to commercial tool #572
Comments
@oheger-bosch Thank you ++ for this detailed report! Could you provide a list of purl/CVEs combos that you found missing in VulnerableCode? (If it is big you can send these zipped privately at [email protected]) That way we can investigate why this is happening: it could be either a bug or missing data source or both, but it is going to be hard to investigate short of hard data. |
@pombredanne I have sent a mail with packages / CVEs that have been reported by Nexus IQ, but not by VulnerableCode. |
I have started checking the differences and that's awesome data. @oheger-bosch Thank you +++ |
Thank you for looking at this so timely @pombredanne. It's quite important for us to understand what causes these differences in findings, as we're still planning for a major rollout of VulnerableCode, but this is being blocked by the concerns raised here. |
@jlarfors Thank you for the details. For this CVE-2020-15222 this is different bug
@Hritik14 ^ :) |
@jlarfors and possibly also other package relationships to be inferred as this is a Go package based on https://github.com/ory/fosite/blob/master/go.mod |
We're missing the fosite vulnerability since there's no importer for go ecosystem. However this should be fixed by #578 |
Dear all, is there any progress to report regarding this issue? |
@sschuberth We are working on improving the data quality by VulnerableCode. A lot of it can be tracked in #597 and the other open tickets. We are also pondering over a project to compare VulnerableCode data to the rest of the world with something like VulnTotal. |
Hi all,
for OSS compliance and vulnerability reports we use the OSS review toolkit (ORT). The ORT advisor component currently supports querying vulnerability information from VulnerableCode and Sonatype Nexus IQ, which we both use. We host an instance of VulnerableCode and run the importers on a regular schedule.
With this setup in place for about half a year, I did an evaluation of the findings returned by VulnerableCode and Nexus IQ based on the results produced by ORT. The outcome is that the number of findings reported by VulnerableCode is significantly lower than for Nexus IQ, particularly for certain types of packages (NPM, Python, Maven). Find below an excerpt from the results. (The "Packages" column contains the number of packages for which at least one security vulnerability has been reported by one of the systems.)
The projects that have been scanned by ORT to produce these numbers are currently ongoing software development projects. I assume they use a typical set of library dependencies with up-to-date versions.
Now I am trying to investigate the reasons for these differences. What I have tried so far is the following:
Does this look plausible or do we miss relevant data from sources?
So, the question is, do you have any ideas/suggestions what could be the cause for this low number of findings? Is our database corrupt or is VulnerableCode missing important sources of vulnerability information? Any help would be appreciated.
The text was updated successfully, but these errors were encountered: