Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor the 'missing' command to pull CVE details from NIST data feeds. #34

Conversation

@lightswitch05
Copy link
Contributor

lightswitch05 commented Nov 20, 2019

Using published JSON data feeds from NIST (instead of cvedetails.com) allows for more reliable parsing of CVE details and removes the dependency on kub-at/php-simple-html-dom-parser. Having a more reliable data source for CVE details will allow for further automation in the near future.

Since we now have a reliable way to parse CVE details, I've included a couple new attributes to the CVE check: lastModifiedDate and publishedDate. The values are not being used anywhere at the moment, but it might aid in pull-request review where CVE details have been modified. Also, the old CVE source commonly included those values in the summary.

Finally, I've changed the check.json 'threat' datatype from a string to float. I believe the float datatype is more appropriate, and the change was able to be made without having any compatibility issues with the scan logic. I believe there is a need to allow checks to be released prior to a threat value being assigned - in which case threat would be set to null.

Using published JSON data feeds from NIST (instead of cvedetails.com) allows for more reliable parsing of CVE details and removes the dependency on 'kub-at/php-simple-html-dom-parser'. Having a more reliable data source for CVE details will allow for further automation in the near future.

Since we now have a reliable way to parse CVE details, I've included a couple new attributes to the CVE check: lastModifiedDate and publishedDate. The values are not being used anywhere at the moment, but it might aid in pull-request review where CVE details have been modified. Also, the old CVE source commonly included those values in the summary.

Finally, I've changed the check.json 'threat' datatype from a string to float. I believe the float datatype is more appropriate, and the change was able to be made without having any compatibility issues with the scan logic. I believe there is a need to allow checks to be released prior to a threat value being assigned - in which case threat would be set to null.
@lightswitch05

This comment has been minimized.

Copy link
Contributor Author

lightswitch05 commented Nov 21, 2019

@enygma I'm considering taking this pull request and splitting it out into a separate tool that I can manage directly, apply regular updates to, and implement some of the other requested features. I've requested more access to versionscan previously and received no feedback.

If you could take a moment to share your views and goals of versionscan with me, perhaps we could collaborate together towards a shared goal instead of needing to create a separate project.

@lightswitch05

This comment has been minimized.

Copy link
Contributor Author

lightswitch05 commented Dec 10, 2019

closing in favor of PHP Version Audit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.