Consider using OSV
FRidh opened this issue · comments
Open source vulnerabilities database
https://osv.dev/
It's scope seem to be increasing, and they're looking into PyPI packages now as well
https://discuss.python.org/t/proposing-a-community-maintained-database-of-pypi-package-vulnerabilities/8374
I'll definitely has a look into this. Looks interesting. Working with the NVD is a pain.
I looked about implementing OSV into vulnix, and it looks not that much hard, but two questions are raised:
- NVD seems to be cached and supports mirrors, it seems like OSV does not offer this possibility out of the box except by downloading all the data from: https://osv-vulnerabilities.storage.googleapis.com/ and caching it then replicating the OSV logic I believe.
- I am not sure, it is easy to get the "origin" commit SHA of a given final derivation, and it is a shame as it could solve product candidates confusion
What would be awesome would to have Nix sha256 → origin commit SHA if it exist. :-)
- Don't bother about caching in this stage. We can tackle that later on.
- I don't understand your question. Could you expand on it?