Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generic pipeline for importing Vulnerabilities. #44

Closed
oliverchang opened this issue Feb 1, 2021 · 1 comment
Closed

Generic pipeline for importing Vulnerabilities. #44

oliverchang opened this issue Feb 1, 2021 · 1 comment
Labels
enhancement New feature or request priority

Comments

@oliverchang
Copy link
Collaborator

oliverchang commented Feb 1, 2021
edited

Extend the current OSS-Fuzz pipeline to support generic data sources.

  • Input: Partially filled Vulnerability data from a repository.
  • Output: Vulnerability with appended affected commit range and versions info pushed back to the same repository and location.

More requirements:

  • Parts of OSV will also be made to run as part of CI workflows (OSV CI #51)
  • Users can also submit PRs to fix up details in Vulnerability entries.
  • OSS-Fuzz data will be dumped as well in the same format.

Current sketch (subject to change):

Architecture
@oliverchang oliverchang added the enhancement New feature or request label Feb 1, 2021
oliverchang added a commit that referenced this issue Feb 2, 2021
@oliverchang
Add beginnings of importer/exporter for OSS-Fuzz.
aeb46ee 
OSS-Fuzz vulnerabilities are exported to a git repository, where users
can make manual changes/corrections if necessary. These changes will
flow back into OSV.

Part of generic importer pipeline (#44).
oliverchang added a commit that referenced this issue Feb 2, 2021
@oliverchang
Add beginnings of importer/exporter for OSS-Fuzz.
be3090a 
OSS-Fuzz vulnerabilities are exported to a git repository, where users
can make manual changes/corrections if necessary. These changes will
be imported back into OSV.

Part of generic importer pipeline (#44).
@oliverchang oliverchang mentioned this issue Feb 2, 2021
Merged
oliverchang added a commit that referenced this issue Feb 2, 2021
@oliverchang
Add beginnings of importer/exporter for OSS-Fuzz. (#46)
0acc31a 
OSS-Fuzz vulnerabilities are exported to a git repository, where users
can make manual changes/corrections if necessary. These changes will
be imported back into OSV.

Part of generic importer pipeline (#44).
@oliverchang oliverchang changed the title Generic data sources pipeline Generic pipeline for import Vulnerabilities. Feb 4, 2021
@oliverchang oliverchang changed the title Generic pipeline for import Vulnerabilities. Generic pipeline for importing Vulnerabilities. Feb 4, 2021
This was referenced Feb 8, 2021
Closed
Closed
Closed
@westurner
Copy link

This may be a duplicate?
"Existing artifact vuln scanners, databases, and specs?" #55

oliverchang added a commit that referenced this issue Feb 16, 2021
@oliverchang
Plumbing in preparation for processing user changes.
444e907 
#44
@oliverchang oliverchang mentioned this issue Feb 16, 2021
Merged
oliverchang added a commit that referenced this issue Feb 17, 2021
@oliverchang
Plumbing in preparation for processing user changes. (#65)
9df2339 
- Start plumbing for detecting user changes and kicking off analysis tasks.
- Don't make empty commits when importing new OSS-Fuzz entries.

Part of #44.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@westurner @oliverchang