Skip to content

Instantly share code, notes, and snippets.

@rhythmrx9

rhythmrx9/gsoc22_final_report.md

Last active September 12, 2022 16:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rhythmrx9/dbabb682f04f9a648cc6231b986c4aec to your computer and use it in GitHub Desktop.
Save rhythmrx9/dbabb682f04f9a648cc6231b986c4aec to your computer and use it in GitHub Desktop.
Download ZIP
GSOC'22 Final Report
Raw
gsoc22_final_report.md

GSoC 2022

Google Summer of Code'22 Final Report

Summary

Database Handling

cve-bin-tool uses a database to match the product, vendor, and version data to find if a package has vulnerabilities, this database was created and updated through CVE data only from NVD. To add new datasources, first changes were made to Database handling. The code on database handling was mixed with formatting CVE data from NVD as it was the only data source, CVEDB class was refactored and code for fetching CVEs was moved out. cve-bin-tool also gets fetches from Curl to update affected_packages data on existing CVEs, this was also moved out from CVEDB class. After separating different functionalities, getting and updating CVEs in the database was generalized to allow addition of new datasources, this was also improved as datasources were added. Checking for duplicate CVEs and getting vendor data while updating was also added, to prevent multiple reports.

Datasources

New datasources were added to increase the scope of cve-bin-tool. Each datasource consists of function get_cve() which returns data in a common format, fetching and formatting CVEs is implemented differently as needed per datasource. Support for Incremental updates was added in all datasources.

Open Source Vulnerabilities (OSV)

OSV is aggregator of vulnerability databases that have adopted the OSV schema. It consists of different ecosystems that have CVE data. gsutil is used to get list of ecosystems to get CVE data from, then data is downloaded from a google cloud bucket for each ecosystem.

GitLab Advisory Database (GAD)

GAD contains the security advisories used by the GitLab dependency scanners. It consists of package slugs which are analogous to ecosystems in OSV. CVE data is downloaded from the advisory database repository on GitLab.

RedHat Security Data (RSD)

RSD consists of CVEs pertaining to RedHat Products, giving information on affected RedHat products for already existing CVEs.

Tasks Achieved

- Database Handling:

PRs:

- Datasources:

PRs:

Future

I plan on contributing significantly to the project after the GSoC period. Things I plan to do:

  • Improving asynchronous code so CVEs downloading and updating gets more efficient.
  • Change the output of cve-bin-tool for better reporting.

I am thankful to Google, Python Software Foundation, and Intel for providing me with this excellent opportunity and the mentors, Terri Oda, Anthony Harrison, and Sahil who guided me throughout the program.

I would also like to thank my fellow GSoC contributor Yashu & Anant and the cve-bin-tool community for helping me during the program.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment