Vulnerability comes from the Latin word for "wound," vulnus. Vulnerability is the state of being open to injury, or appearing as if you are. - vocabulary.com
This application allows you to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities on packages used by your application.
This works by calling the public service at https://ossindex.sonatype.org/ which uses data derived from public sources so its worth checking out their warnings, disclaimers and rate limiting processes.
The intended targeted platform would be
docker compose via PowerShell script. However if useful to an organization this can be hosted using any container orchestration tools.
The following images are used by default:
The following is based on the API inputs at ssindex.sonatype.org
- Select lookup type:
a. File; So upload
[PROJECT].csproj file which assumes
b. Name; the name of the component you wish to lookup along with its version. Type selection is also needed. Example: npm, nuget ect.
This is then deserialized to
- Supply your project name which is used for report grouping
- Check local database for
HasExpireddate field is less than a month old. If not return those results.
- Call ossindex.sonatype.org/api for new data
- Database result if applicable and return results.
Basic reporting to screen should be fine for now, dumping to .XLSX or .PDF shouldn't be too hard.