vulnfeeds: consider adding GitHub security advisory data as input #254
Comments
|
We indeed have the tooling necessary to collect all the GHSA entries: https://github.com/ossf/osv-schema/tree/main/tools/ghsa and will soon have a GCS bucket that contains these continuously updated. It can certainly be a useful additional point of reference for our matcher! |
|
See pypa/advisory-database#65 for an example of where collecting the GHSA entries would ensure advisory databases are more up-to-date. |
|
@di unfortunately GHSA doesn't have everything either - see github/advisory-database#115 for an example of that. (not to discourage you or anything, as I think its still a good idea - I just want to raise awareness that currently the GHSA entiries are not entirely up-to-date 😥) |
|
We could probably start by just using the data from https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip since the python GHSA info is included there now and is already in OSV format. |
|
This issue has not had any activity for 60 days and will be automatically closed in two weeks |
github-actions
bot
added
the
stale
|
Automatically closing stale issue |
I thought it could be useful to add GHSA data as an input source for the pypi vulnfeed. We can combine it with the matching CVE source data and then extract the best information from the combination. That could help prevent bad matches like the one that happened with pypa/advisory-database#34 as we could have evaluated the GHSA record and realised that it was not a match for that cve and pypi package combination. Also, there are many instances where there is a GHSA record, but no CVE is ever requested for it, but we may still want a PYSEC and advisory created.
We'd have to make some decisions around which source to prefer when both exist. I suspect that the GHSA record will usually be more trustworthy for identifying the affected pypi package since it will be created by the project itself, and probably the version range info is more reliable as well? We could aggregate all of the reference links from both sources. For the details field, I think the GHSA ones tend to be more verbose and contain more markdown syntax than the nvd ones, so unsure which should be preferred there.
@oliverchang , any thoughts on this? And are you already collecting all of the GHSA JSON entries somewhere where we could just download a zip of them or would we need something new for that? I know there is a process in aquasecurity/vuln-list-update which creates the JSON entries at aquasecurity/vuln-list which is used by trivy.
The text was updated successfully, but these errors were encountered: