- Name: Pramurta Sinha (@b31ngd3v)
- Organization: Python Software Foundation
- Sub-organization: CVE Binary Tool
- Project: Add GitHub Action including fancy reporting and triage integration
- Proposal: View/Download
Developed a github action for cve-bin-tool which will produce CVE reports in the GitHub security tab and will be able to split the issues on the basis of triage. It will be smart enough to scan dependency lists of various languages and suggest version upgrades. Also it will produce reports in the form of html and pdf by default in the security tab.
Added the feature which will help the tool running as a GitHub Action to detect and scan SBOM files in the repository and will help to generate an SBOM and keep it up to date through regular scans.
CVE Binary Tool uses NVD's vulnerability database, there is a lot of restrictions like rate limiting even when using an API key. So I and John created a mirror that will host the NVD data and made the tool compatible to use the mirror data.
PRs:
- intel/cve-bin-tool-action#1
- intel/cve-bin-tool-action#4
- intel/cve-bin-tool-action#6
- intel/cve-bin-tool-action#7
- intel/cve-bin-tool-action#10
- intel/cve-bin-tool-action#14
- intel/cve-bin-tool-action#15
- intel/cve-bin-tool-action#16
- intel/cve-bin-tool-action#22
- intel/cve-bin-tool-action#23
- intel/cve-bin-tool-action#24
PRs:
- intel/cve-bin-tool-action#25
- intel/cve-bin-tool-action#26
- intel/cve-bin-tool-action#30
- intel/cve-bin-tool-action#31
- intel/cve-bin-tool-action#32
- intel/cve-bin-tool-action#37
I plan on contributing significantly to the project after the GSoC period. Things I plan to do:
- Improve the mirror system so that it can generate and export json files with the help of NVD API v2.
- Suporrting more versions of cyclonedx.
I am thankful to Google, Python Software Foundation, and Intel for providing me with this excellent opportunity and the mentors, Terri Oda, Anthony Harrison, Anant, and Rhythm who guided me throughout the program.
I would also like to thank my fellow GSoC contributor Sukhveer and the cve-bin-tool community for helping me during the program.