Outline

Harnessing package info provided by our package scanner, respective package elements will be matched to and searched against a database of reported vulnerabilities, created by us. The database will primarily consist of data from Common Vulnerabilities and Exposures (CVE) dataset; Data from several distro security feeds, eg: Debian’s security bug tracker; CWE (Common Weakness Enumeration); CPE (Common Platform Enumeration), etc. CVE, CWE & CPE, being the industry standard for cybersecurity vulnerabilities will be very efficient resources. Distro feeds will provide more elaborate information about vulnerable packages (some eventually direct to the CVE dataset). The database will be an amalgam of new vulnerability reports that are being added to the dataset and the past data, present. It also will account for vulnerabilities that are being closed everyday. Since, a lot of our datasets direct, ultimately to the CVE dataset. We might be posed by the classic, cache coherence issue. A dataset might take some time to acknowledge the updated status of a CVE ID, whereas the other might acknowledge it faster. This will create data discrepancies. These are some of the many issues that may occur. Our aim will be to make a central database which is fast and accurate. After that, the DB will be queried with the scanned elements as input and the output will be processed to print vulnerability reports. Which will include things like, vulnerability severity, NVD’S latest zero-day security exploits, if any, that were found in the package, the specific vulnerable package elements, etc. There will also be a mechanism of community feedback. Aggregating a lot of data can sometimes lead to invalid information being dumped into the DB. To overcome this issue, our DB will be open to suggestions. Wherein if a user finds something wrong in our data, they can rectify it in the DB which will later be updated in a central server/repository.

Sub-Projects Priority:

1. Database
2. Scanner
3. Vulnerability Reports
4. Community feedback