- Name: Rhythm Jamwal (@rhythmrx9)
- Organization: Python Software Foundation
- Sub-organization: CVE Binary Tool
- Project: Add new datasources for vulnerabilities
- Proposal: View/Download
cve-bin-tool
uses a database to match the product, vendor, and version data to find if a package has vulnerabilities, this database was created and updated through CVE data only from NVD.
To add new datasources, first changes were made to Database handling.
The code on database handling was mixed with formatting CVE data from NVD as it was the only data source, CVEDB
class was refactored and code for fetching CVEs was moved out.
cve-bin-tool
also gets fetches from Curl to update affected_packages
data on existing CVEs, this was also moved out from CVEDB
class.
After separating different functionalities, getting and updating CVEs in the database was generalized to allow addition of new datasources, this was also improved as datasources were added.
Checking for duplicate CVEs and getting vendor data while updating was also added, to prevent multiple reports.
New datasources were added to increase the scope of cve-bin-tool
.
Each datasource consists of function get_cve()
which returns data in a common format, fetching and formatting CVEs is implemented differently as needed per datasource. Support for Incremental updates was added in all datasources.
OSV is aggregator of vulnerability databases that have adopted the OSV schema. It consists of different ecosystems that have CVE data.
gsutil
is used to get list of ecosystems to get CVE data from, then data is downloaded from a google cloud bucket for each ecosystem.
GAD contains the security advisories used by the GitLab dependency scanners. It consists of package slugs which are analogous to ecosystems in OSV. CVE data is downloaded from the advisory database repository on GitLab.
RSD consists of CVEs pertaining to RedHat Products, giving information on affected RedHat products for already existing CVEs.
PRs:
PRs:
- intel/cve-bin-tool#1750
- intel/cve-bin-tool#1844
- intel/cve-bin-tool#1846
- intel/cve-bin-tool#1864
- intel/cve-bin-tool#1868
- intel/cve-bin-tool#1869
- intel/cve-bin-tool#1877
- intel/cve-bin-tool#1903
- intel/cve-bin-tool#1931
- intel/cve-bin-tool#1933
- intel/cve-bin-tool#1949
I plan on contributing significantly to the project after the GSoC period. Things I plan to do:
- Improving asynchronous code so CVEs downloading and updating gets more efficient.
- Change the output of
cve-bin-tool
for better reporting.
I am thankful to Google, Python Software Foundation, and Intel for providing me with this excellent opportunity and the mentors, Terri Oda, Anthony Harrison, and Sahil who guided me throughout the program.
I would also like to thank my fellow GSoC contributor Yashu & Anant and the cve-bin-tool community for helping me during the program.