Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider using OSV #76

Open
FRidh opened this issue May 21, 2021 · 3 comments
Open

Consider using OSV #76

FRidh opened this issue May 21, 2021 · 3 comments

Comments

@FRidh
Copy link

FRidh commented May 21, 2021

Open source vulnerabilities database
https://osv.dev/

It's scope seem to be increasing, and they're looking into PyPI packages now as well
https://discuss.python.org/t/proposing-a-community-maintained-database-of-pypi-package-vulnerabilities/8374
@ckauhaus
Copy link
Collaborator

I'll definitely has a look into this. Looks interesting. Working with the NVD is a pain.

@RaitoBezarius
Copy link
Member

I looked about implementing OSV into vulnix, and it looks not that much hard, but two questions are raised:

  • NVD seems to be cached and supports mirrors, it seems like OSV does not offer this possibility out of the box except by downloading all the data from: https://osv-vulnerabilities.storage.googleapis.com/ and caching it then replicating the OSV logic I believe.
  • I am not sure, it is easy to get the "origin" commit SHA of a given final derivation, and it is a shame as it could solve product candidates confusion

What would be awesome would to have Nix sha256 → origin commit SHA if it exist. :-)

@ckauhaus
Copy link
Collaborator

  1. Don't bother about caching in this stage. We can tackle that later on.
  2. I don't understand your question. Could you expand on it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RaitoBezarius @ckauhaus @FRidh