From 084781be965ef249aa95560a1a98f0a14591b144 Mon Sep 17 00:00:00 2001 From: Shivam Sandbhor Date: Fri, 11 Dec 2020 18:54:23 +0530 Subject: [PATCH 1/2] Add SOURCES.rst to document data sources being used Signed-off-by: Shivam Sandbhor --- SOURCES.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 SOURCES.rst diff --git a/SOURCES.rst b/SOURCES.rst new file mode 100644 index 000000000..f624e1d3c --- /dev/null +++ b/SOURCES.rst @@ -0,0 +1,45 @@ ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|Importer Name: | Data Source |Ecosystems Covered | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|rust | https://github.com/RustSec/advisory-db |rust crates | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|alpine | https://gitlab.alpinelinux.org/alpine/infra/alpine-secdb |alpine packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|archlinux | https://security.archlinux.org/json |arch packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|debian | https://security-tracker.debian.org/tracker/data/json |debian packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|npm | https://github.com/nodejs/security-wg.git |npm packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|ruby | https://github.com/rubysec/ruby-advisory-db.gitruby |ruby gems | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|ubuntu | https://people.canonical.com/~ubuntu-security/oval/ |ubuntu packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|retiredotnet | https://github.com/RetireNet/Packages.git |.NET packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|suse_backports | http://ftp.suse.com/pub/projects/security/yaml/ |SUSE packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|debian_oval | https://www.debian.org/security/oval/ |debian packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|redhat | https://access.redhat.com/hydra/rest/securitydata/cve.json |rpm packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|nvd | https://nvd.nist.gov/vuln/data-feeds#JSON_FEED |none | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|gentoo | https://anongit.gentoo.org/git/data/glsa.git |gentoo packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|openssl | https://www.openssl.org/news/vulnerabilities.xml |openssl | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|ubuntu_usn | https://usn.ubuntu.com/usn-db/database-all.json.bz2 |ubuntu packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|github | https://api.github.com/graphql |maven, .NET, php-composer, pypi packages. ruby gems | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|msr2019 | https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv |maven packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|apache_httpd | https://httpd.apache.org/security/vulnerabilities-httpd.xml |apache-httpd | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|kaybee | https://github.com/SAP/project-kb.git |maven packages | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|nginx | http://nginx.org/en/security_advisories.html |nginx | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ +|postgresql | https://www.postgresql.org/support/security/ |postgresql | ++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ From 4a5d383df0a32d72f188c9db73bbdf4bf1c38dde Mon Sep 17 00:00:00 2001 From: Shivam Sandbhor Date: Fri, 11 Dec 2020 19:19:08 +0530 Subject: [PATCH 2/2] Link SOURCES.rst from README.rst and correct a typo in SOURCES.rst Signed-off-by: Shivam Sandbhor --- README.rst | 10 +++++----- SOURCES.rst | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.rst b/README.rst index 0368d9dc3..af4803f4b 100644 --- a/README.rst +++ b/README.rst @@ -41,11 +41,11 @@ The How VulnerableCode independently aggregates many software vulnerability data sources that can easily be recreated in a decentralized fashion. These -data sources include security advisories published by distros, package -managers, etc. Due to this, the data obtained is not generalized to apply -for other ecosystems. This increases the accuracy as the same version of -a package across different distros may or may not be vulnerable to some -vulnerability. +data sources (see complete list `here <./SOURCES.rst>`_) include security +advisories published by distros, package managers, etc. Due to this, the +data obtained is not generalized to apply for other ecosystems. This +increases the accuracy as the same version of a package across different distros +may or may not be vulnerable to some vulnerability. The packages are identified using `PURL `__ rather than CPEs. diff --git a/SOURCES.rst b/SOURCES.rst index f624e1d3c..02b2ff6fd 100644 --- a/SOURCES.rst +++ b/SOURCES.rst @@ -11,7 +11,7 @@ +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ |npm | https://github.com/nodejs/security-wg.git |npm packages | +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|ruby | https://github.com/rubysec/ruby-advisory-db.gitruby |ruby gems | +|ruby | https://github.com/rubysec/ruby-advisory-db.git |ruby gems | +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ |ubuntu | https://people.canonical.com/~ubuntu-security/oval/ |ubuntu packages | +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+