-
Notifications
You must be signed in to change notification settings - Fork 329
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support local DBs #81
Comments
As you know this is (imo) pretty extensively supported by
Since the detector has been using a local database since day 1, I've spent a lot of time looking at the performance in a number of cases especially when:
In all cases the detector performed extremely fast, with the slowest part always being downloading the database (which even then would typically only take <5 seconds, for all the dbs needed for a project) - in contrast with the API it would take 15+ seconds 😅 (not saying there couldn't be performances issues, just sharing my experience so far) |
@G-Rath any chance you'd have time to try tackle this one within the next few weeks? Otherwise we might be interested in taking this on as we've been seeing requests for this. |
@oliverchang yup probably - do you want to start with just an |
SGTM! Learning from our mistake with --json / --format though, perhaps something like
This lets us make things a bit more extensible in the future. We can start this out as an experimental flag (subject to change) to get the ball rolling and change it later if we need to. CC @another-rex |
Hmm ok not really a fan of that but cant think of better approach beyond what's in the detector (whichd be a sizable change), so happy to go with it if you think it's the way to go. Though what if we followed Nodes pattern of sticking |
|
This DB in question is the one hosted at gs://osv-vulnerabilities?
This is for scenarios where a lockfile specifies a dependency by commit hash and the local DB wouldn't know how to map it to a version for matching against vulns? |
Resolves #81 ~This is based off a lot of the core of the detector - it's not working yet because I need to figure how to handle passing in the queries to the local db given that the detector takes `PackageDetails`, but really the key thing there is how to handle PURL which comes from SBOMs that I don't really know how to use 😅 (idk if I'm just dumb or what, but for some reason I've still not been able to figure how to accurately generate one from a `Gemfile.lock`, `package-lock.json`, etc)~ ~If someone could provide some sample SBOMs that would be very useful (I'll also do a PR adding tests using them as fixtures), and also happy to receive feedback on the general approach - there are some smaller bits to discuss, like if fields should be omitted from the JSON output vs an empty array, and the `Describe` related stuff too.~ This is now working, though personally it feels pretty awkward codewise - I know I'm bias but I feel like it would be better to trying to bring across the whole `database` package from the detector, as the API db is pretty much the same and then you'd have support for zips, directories, and the API with extra configs like working directories + an extensive test suite for all three (I don't think it would be as painful as one might first think, even with `osvscanner` having just been made public because that's relatively small). Still, this does work as advertised - there's definitely a few things that could do with some cleaning up (including if fields should be omitted from the JSON output vs an empty array, and the `Describe` related stuff too) but am leaving them for now until I hear what folks think of the general implementation + my above comment. I've also gone with two boolean flags rather than the url-based flag @oliverchang suggested because I didn't feel comfortable trying to shoehorn that into this PR as well, and now that we're using `--experimental` it should be fine to completely change these flags in future.
Friendly ping on these questions. |
Sorry missed this message!
Yes, specifically the all.zip's in each ecosystem
Yes, and also for scanning the commit of any git repos that's being scanned. |
Currently the scanner works by using the OSV.dev API, which ensures the matching against latest live DB with little (targeted <15 minute latency from the upstream source)
We should support a local mode, which supports taking in a local OSV DB.
One of the key prerequisites here is:
This will have some limitations:
The text was updated successfully, but these errors were encountered: