Known vulnerabilities

Question

Known vulnerabilities

bmarwell opened this issue 3 years ago · comments

Show an artifact as vulberable or as vulberable in Dependencies (except test dependencies).

Maybe a hint coloured red and yellow.

Maarten Mulders · Answer 1 · Fri Jan 07 2022 04:56:45 GMT+0800 (China Standard Time)

This is a very interesting and relevant idea - thanks for sharing it. If I recall correctly from a Twitter convo, it's inspired by the fact that mvnrepository.com displays it. I've taken a look at how they do it, and it seems to me they do a lookup server side and then include it in the HTML that they send to the browser.

I'd rather not use web page scraping to collect this information. @bmarwell, do you happen to know any (REST-like) API which could give the same information?

Maarten Mulders · Answer 2 · Mon Jan 10 2022 04:24:34 GMT+0800 (China Standard Time)

Result pages on search.maven.org provide a link to the Sonatype OSS index (e.g. log4j-core) but that suffers from the same issue: it only serves the response in a full-fledged HTML page :-(.

Benjamin Marwell · Answer 3 · Mon Jan 10 2022 06:17:09 GMT+0800 (China Standard Time)

I don't know of a REST-API, sorry.

Abdel Hajou · Answer 4 · Thu Feb 17 2022 21:37:51 GMT+0800 (China Standard Time)

Hey @mthmulders , the link to the Sonatype website you provided has another link to their REST API at the bottom of the page. The api/v3/component-report endpoint returns a list of vulnerabilities for the component with this coordinate.

I haven't looked much further into this API, but if you agree I could look into this issue and maybe implement it when I have time.

One issue I'm seeing with this API is that it requires basic authorization using an e-mail address and password. This would be difficult to implement, because you would need a separate key for each MCS user. How have you solved this issue for the Maven Central API? Does that API not require authorization?

Maarten Mulders · Answer 5 · Fri Feb 18 2022 23:34:16 GMT+0800 (China Standard Time)

Good catch, @AbdelHajou. I'm definitely going to investigate that route. Their documentation also says

Rate limits apply to requests. If the rate is exceeded then responses will indicate 429 Too many requests status.
Authenticated requests have a higher limit.

They don't mention the exact limit, though.

Maybe mcs could do unauthenticated requests by default. Additionally, it could have support for people who want to use their Sonatype account so they can do more requests. But that requires a bit of thinking (how/where to store those credentials, how to fall back if there are none, etc.).

Additionally, mcs might only include security info using this Sonatype API when the user explicitly asks for it, e.g. using a flag.