Refactor the 'missing' command to pull CVE details from NIST data feeds.#34
Closed
lightswitch05 wants to merge 2 commits intopsecio:masterfrom
Closed
Refactor the 'missing' command to pull CVE details from NIST data feeds.#34lightswitch05 wants to merge 2 commits intopsecio:masterfrom
lightswitch05 wants to merge 2 commits intopsecio:masterfrom
Conversation
Using published JSON data feeds from NIST (instead of cvedetails.com) allows for more reliable parsing of CVE details and removes the dependency on 'kub-at/php-simple-html-dom-parser'. Having a more reliable data source for CVE details will allow for further automation in the near future. Since we now have a reliable way to parse CVE details, I've included a couple new attributes to the CVE check: lastModifiedDate and publishedDate. The values are not being used anywhere at the moment, but it might aid in pull-request review where CVE details have been modified. Also, the old CVE source commonly included those values in the summary. Finally, I've changed the check.json 'threat' datatype from a string to float. I believe the float datatype is more appropriate, and the change was able to be made without having any compatibility issues with the scan logic. I believe there is a need to allow checks to be released prior to a threat value being assigned - in which case threat would be set to null.
Contributor
Author
|
@enygma I'm considering taking this pull request and splitting it out into a separate tool that I can manage directly, apply regular updates to, and implement some of the other requested features. I've requested more access to versionscan previously and received no feedback. If you could take a moment to share your views and goals of versionscan with me, perhaps we could collaborate together towards a shared goal instead of needing to create a separate project. |
Contributor
Author
|
closing in favor of PHP Version Audit |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Using published JSON data feeds from NIST (instead of cvedetails.com) allows for more reliable parsing of CVE details and removes the dependency on
kub-at/php-simple-html-dom-parser. Having a more reliable data source for CVE details will allow for further automation in the near future.Since we now have a reliable way to parse CVE details, I've included a couple new attributes to the CVE check: lastModifiedDate and publishedDate. The values are not being used anywhere at the moment, but it might aid in pull-request review where CVE details have been modified. Also, the old CVE source commonly included those values in the summary.
Finally, I've changed the check.json 'threat' datatype from a string to float. I believe the float datatype is more appropriate, and the change was able to be made without having any compatibility issues with the scan logic. I believe there is a need to allow checks to be released prior to a threat value being assigned - in which case threat would be set to null.