-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New approach for CVE checking #547
Comments
I was doing some more research and came to the impression that the official CVE-DB is designed like a "blockchain": Some large monolithic monster designed to only grow and grow. |
The database download without NVD API Key is extremely slow (like an hour) and finally I couldn't even finish the entire download, because of 403 and 406 error. So first of all we need an API key and then the download of the database should take around 20 minutes (https://jeremylong.github.io/DependencyCheck/dependency-check-maven/)
It's possible to configure a central database server so that each user can use that database for checking (see https://jeremylong.github.io/DependencyCheck/data/database.html) or otherwise there is the possibility to cache the database (https://jeremylong.github.io/DependencyCheck/data/cacheh2.html) and share it across difference projects. |
Can also be interesting: https://github.com/projectdiscovery/cvemap |
That is promising: https://github.com/aquasecurity/trivy |
Survey results:CVE detection tools
API's: I List them for the sake of completeness
ConclusionMost of the tools need an API Key for full download and query performance. So they are not feasible to be integrated in IDEasy. A solution could be to create a own database or look for an existing one with better access as the NVD database and use that. In my opinion trivy is the best tool for our purpose, it is fast, there are binaries and there are a lot of configuration options. Unfortunately, you can't search for specific CVE's by product or vendor. But trivy can scan SBOM or other specific files. A deeper look could possibly show us a way to manage the installed tools in, for example an SBOM, per project and then pass them to the tool. |
Trivy also offers to create custom plugins https://aquasecurity.github.io/trivy/v0.17.2/plugins/ In the end the custom plugin can be written in any programming language. So if we can connect to the given database by trivy, we could implement our own query to get the needed CVE data for vendor/product. |
I tried out how far I can get to write a simple query script to get informationout of the trivy database. The database, where the vulnerabilites are included, is ~ 1GB and made by BoltDB. BoltDB is a key/value storage written purely for go. The value of a CVE key is:
The question is, is the information from the vulnerability database sufficient for our purpose? We can search the values of each CVE by vendor. product and possibly version and then output the corresponding CVE with severity and references. In Trivy's database, there are other databases besides the NVD vulnerabilites, which might be interesting, but where the values are different. |
Further question is, is there a API to use database query for other languages like Java? |
With story #103 we want to have security checking to warn users before a tool installation as well as after that if a tool with critical CVEs is used/installed and if detected before installation the user shall be asked for confirmation.
We already implemented a lot of this with PR #119 and then created story #190 with some concerns and improvements.
In the end we came to discussions that questioned the entire approach.
With this story we want to do a PoC/MVP on an alternative approach:
«tool»
+«edition»
+«version»
. That most probably needs additional information that PR #103: security warning for CVEs in file tool/edition/security #119 added to URLUpdaters but would then be needed directly inToolCommandlet
. Example from maven:org.owasp:dependency-check-core
) that we need to implement this CVE check. If that happens inside IDEasy we must ensure that the CVE-DB is reused across multiple projects. Either the tool already creates this in a hidden folder of the users home directory or we can specify a directory so the data would be written somewhere inIDE_ROOT
.Things to analyze:
The text was updated successfully, but these errors were encountered: