You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CVE Binary Tool was originally intended to work with compiled languages and binary files, but we've expanded to do known component lists in a few different formats. Recently, @anthonyharrison improved our support for .jar files by reading the meta data from those files, and @BreadGenie has earlier work to support listings from Linux package repositories. We'd like to see about doing that for other popular package repository ruby gems, npm, improving our python support, etc.
This project will probably involve doing a few things:
adding parsers to read package data of various types
exploring ways to call (or prompt the users to call) language-specific tools to get additional vulnerability/security data
Some languages/package managers of potential interest:
npm (javascript)
ruby (ruby gems)
go (packages could be vendored or not)
rust
improving python support (e.g. add mappings and magic so requirements.txt can be scanned without converting to .csv)
A 175hr project could choose 2-3 package list types to support and work on that.
For a 350hr project, I'd definitely want to see some plan for a mapping database/data structure with the following:
Mapping {package name, package source} -> {vendor, product} pair (this may be a an n:n, 1:n, or n:1 mapping)
A note because it came up in gitter: This project is loosely reserved for a paid contributor to be selected through the GSoC 2022 process. (open to anyone over 18 who's willing to put in either 175 or 350 hours of paid work through the program). If you wish to work on this, please apply through that program when it opens on March 7.
Discussion and ideas are fine, but pull requests with actual code are discouraged because we don't want to interfere with applicants who might want to do this idea. There's 100 other issues available, please feel free to solve ones not flagged for gsoc participants!
CVE Binary Tool was originally intended to work with compiled languages and binary files, but we've expanded to do known component lists in a few different formats. Recently, @anthonyharrison improved our support for .jar files by reading the meta data from those files, and @BreadGenie has earlier work to support listings from Linux package repositories. We'd like to see about doing that for other popular package repository ruby gems, npm, improving our python support, etc.
This project will probably involve doing a few things:
{vendor, product}
pairs (see Improve product vendor matching for component list scanning #1504)Some languages/package managers of potential interest:
A 175hr project could choose 2-3 package list types to support and work on that.
For a 350hr project, I'd definitely want to see some plan for a mapping database/data structure with the following:
Hours
175 or 350, scaled depending on how many package types you intend to tackle and whether you want to add the mapping database
Difficulty level
Recommended skills
The text was updated successfully, but these errors were encountered: