forked from clearlinux/cve-check-tool
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO
54 lines (42 loc) · 2.09 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
TODO List
---------
cve-check-tool has achieved minimal functionality, which as come at a
cost. A refactor will be needed to bring performance and flexibility
up to par.
In essence cve-check-tool is an aggregator of data sources, performing
a cross-reference to determine whether the final user (distribution) is
affected by a CVE.
Redesign overview:
The current primary data source is the NVD DB. However due to the fact
it is in XML it is extremely expensive to work with. We mitigate this
for the most part by interweaving cross-reference logic with data checking.
Going forward, data sources will be separate plugins to feed the primary
database. This database will most likely be sqlite3, offering high performance
read operations.
cve-check-tool will pull read-only from its database, cross-referencing
distro data (whether previously imported or dynamic at runtime) - improving
performance and vastly reducing code complexity.
Data sources and parsers are to be separate from reporters (such as JIRA,
HTML, CSV) - removing the current interweaving issue.
This means splitting the data-import from the cross-check runs:
.---------------------.
| Package/distro data |
'---------------------'
| .------.
v | CSV |
(cve-check-tool binary) '------'
******************* .------.
* Cross-reference * ----> | HTML | Output
******************* '------'
^ .------.
Data sources | | JIRA |
| '------'
.-----. .----------------------.
| NVD | -- -> | CVE/Central database |
'-----' '----------------------'
.-----. ^
| USN | ---------|
'-----'
This has many benefits, as the majority of queries we are interested in
are best supported by database solutions, i.e.
SELECT * FROM vulnerabilities WHERE product ...