Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it good to depend on safety-db for Python vuln DB? #344

Closed
chezou opened this issue Dec 27, 2019 · 8 comments
Closed

Is it good to depend on safety-db for Python vuln DB? #344

chezou opened this issue Dec 27, 2019 · 8 comments
Labels
triage/support Indicates an issue that is a support question.

Comments

@chezou
Copy link

chezou commented Dec 27, 2019

It seems safety-db isn't actively maintained, is it good for trivy to keep depending on safety-db to detect Python vulnerabilities?
@chezou chezou added the triage/support Indicates an issue that is a support question. label Dec 27, 2019
@chezou chezou changed the title Is safety-db reliable? Is it good to depend on safety-db for Python vuln DB? Dec 27, 2019
@knqyf263
Copy link
Collaborator

Thank you for opening the issue! Actually, I've been looking for another public database for Python vulnerabilities, but I've never found it. For now, safety-db can be used for old vulnerabilities, so I'm going to keep it. If someone knows another database, let me know, please. I'd switch safety-db to it.

@chezou
Copy link
Author

chezou commented Dec 29, 2019

Not sure it is the right solution, I think GitHub Advisory Database can be an alternative. They only provide GraphQL API though.

@knqyf263
Copy link
Collaborator

I think they provide API to retrieve a result of Python vulnerabilities in GitHub repository. It means a user who doesn't use GitHub can't use the API. Or, do they have API to detect vulnerabilities of package information sent from a client?

@chezou
Copy link
Author

chezou commented Dec 29, 2019

GitHub Advisory Database provides vulnerability info of pip, RubyGems, etc, including CVE, which means I guess it is the source info of dependabot. You can look it on your browser https://github.com/advisories?query=ecosystem%3Apip and they also provides GraphQL API as well (see also https://gist.github.com/chezou/998c1bb19a6bb6f292ba5012d02d815a).

Of course, GitHub API requires GitHub account, if this requirement isn't suitable for trivy, we can't use it for safety-db alternate.

@knqyf263
Copy link
Collaborator

Oh, I didn't know it! I've thought it was provided only for GitHub repositories. Thanks!

Now, we build a vulnerability database in GitHub Actions and upload it to GitHub Release. https://github.com/aquasecurity/trivy-db/releases
I will ask GitHub if we can use GitHub Advisory Database for this purpose.

@chezou
Copy link
Author

chezou commented Dec 29, 2019

That should be great if we could bundle them into releases! I hope GitHub allows to use it for trivy 🤞

@knqyf263
Copy link
Collaborator

@lizrice found the license!
https://help.github.com/en/github/site-policy/github-additional-product-terms#11-advisory-database

@masahiro331 masahiro331 mentioned this issue Feb 9, 2020
Merged
4 tasks
@knqyf263 knqyf263 mentioned this issue Feb 23, 2020
Closed
@knqyf263
Copy link
Collaborator

@chezou Now, we're working on the replacement. You can track it #415. Thank you for the information.

@chezou chezou mentioned this issue Mar 6, 2020
Closed
@wochinge wochinge mentioned this issue Apr 15, 2020
Merged
5 tasks
josedonizetti pushed a commit to josedonizetti/trivy that referenced this issue Jun 24, 2022
@owenrumney
fix: catch NPE when converting to flatten results (aquasecurity#344)
bd23994
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chezou @knqyf263