Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Known vulnerabilities #22

Closed
bmarwell opened this issue Dec 31, 2021 · 7 comments
Closed

Known vulnerabilities #22

bmarwell opened this issue Dec 31, 2021 · 7 comments
Labels
enhancement New feature or request
Milestone
0.5

Comments

@bmarwell
Copy link

Show an artifact as vulberable or as vulberable in Dependencies (except test dependencies).

Maybe a hint coloured red and yellow.
@mthmulders
Copy link
Owner

This is a very interesting and relevant idea - thanks for sharing it. If I recall correctly from a Twitter convo, it's inspired by the fact that mvnrepository.com displays it. I've taken a look at how they do it, and it seems to me they do a lookup server side and then include it in the HTML that they send to the browser.

I'd rather not use web page scraping to collect this information. @bmarwell, do you happen to know any (REST-like) API which could give the same information?

@mthmulders mthmulders mentioned this issue Jan 6, 2022
Closed
@mthmulders mthmulders added the enhancement New feature or request label Jan 6, 2022
@mthmulders
Copy link
Owner

Result pages on search.maven.org provide a link to the Sonatype OSS index (e.g. log4j-core) but that suffers from the same issue: it only serves the response in a full-fledged HTML page :-(.

@bmarwell
Copy link
Author

bmarwell commented Jan 9, 2022

I don't know of a REST-API, sorry.

@AbdelHajou
Copy link

AbdelHajou commented Feb 17, 2022
edited
Loading

Hey @mthmulders , the link to the Sonatype website you provided has another link to their REST API at the bottom of the page. The api/v3/component-report endpoint returns a list of vulnerabilities for the component with this coordinate.

image

I haven't looked much further into this API, but if you agree I could look into this issue and maybe implement it when I have time.

One issue I'm seeing with this API is that it requires basic authorization using an e-mail address and password. This would be difficult to implement, because you would need a separate key for each MCS user. How have you solved this issue for the Maven Central API? Does that API not require authorization?

@mthmulders
Copy link
Owner

Good catch, @AbdelHajou. I'm definitely going to investigate that route. Their documentation also says

Rate limits apply to requests. If the rate is exceeded then responses will indicate 429 Too many requests status.
Authenticated requests have a higher limit.

They don't mention the exact limit, though.

Maybe mcs could do unauthenticated requests by default. Additionally, it could have support for people who want to use their Sonatype account so they can do more requests. But that requires a bit of thinking (how/where to store those credentials, how to fall back if there are none, etc.).

Additionally, mcs might only include security info using this Sonatype API when the user explicitly asks for it, e.g. using a flag.

@mthmulders mthmulders added this to the 0.3 milestone Feb 18, 2022
@mthmulders mthmulders modified the milestones: 0.3, 0.4 Jan 5, 2023
@mthmulders mthmulders modified the milestones: 0.4, 0.5 May 22, 2023
@shaikhu shaikhu mentioned this issue Aug 24, 2023
Closed
@mthmulders
Copy link
Owner

@all-contributors please add @AbdelHajou for idea.

@allcontributors allcontributors bot mentioned this issue Oct 4, 2024
Merged
@allcontributors AllContributors
Copy link
Contributor

@mthmulders

I've put up a pull request to add @AbdelHajou! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
0.5
Development

No branches or pull requests
3 participants
@mthmulders @bmarwell @AbdelHajou