support multiple vulnerability database strategies (github advisory and dependency-check) #14

mthbernardes · 2022-02-16T03:33:59Z

Support Github advisory database.

Pros

Faster execution.
Lookup by dependency-name.
Possible to generate a binary using graalvm.
Not necessary to mantain a DB like in dependency-check.
Code much more simple.

Cons

Lookup vulnerabilities by dependency name so in case of a dependency with a different name in the advisory it will not find the vulnerability (E.g.: org.jdom/jdom2 / org.jdom/jdom)
Github token necessary
Rate Limit
It's possible to execute it using a Github action token but it has a rate limit of 5k.

Issues

Support git version when looking up for fixes.

…-check or github advisory database

mthbernardes added 2 commits February 16, 2022 00:33

poc using github advisory db instead of dependency-check

a1a0237

remove unused file

adfa915

mthbernardes marked this pull request as draft February 16, 2022 03:35

mthbernardes added 16 commits February 16, 2022 12:51

add remediation code

111fde9

add output

d489f68

add slf4 nop

4aba3da

remove prints

c1a0f53

add security checks

04cbc59

add rename dependencies

a800dda

small refactors and new report

accd58f

small fixes

4f38097

bug fixes, support git package versions, use only latest to bump

db6577b

rename comment

8bf67f9

Update security.yaml

7c7ecd9

add vulnerability strategy support so it's possible to use dependency…

b335c84

…-check or github advisory database

rename short option for database-strategy

7cf017e

rename short option for database-strategy

bca348b

update cli description

a22a710

make a better doc

536d85b

mthbernardes marked this pull request as ready for review February 18, 2022 03:27

mthbernardes added 4 commits February 18, 2022 00:31

lint and add lint step

c4b1b5f

rename lint aliases and add test path to action

949e871

lint

48ef982

lint

ef4cd9e

mthbernardes self-assigned this Feb 18, 2022

lint

9cf3ede

mthbernardes changed the title ~~poc using github advisory db instead of dependency-check~~ support multiple vulnerability database strategies (github advisory and dependency-check) Feb 18, 2022

mthbernardes added 3 commits February 18, 2022 09:37

remove unecessary logging

8a81aa7

bug fix

d8feb84

update readme

306ef6e

mthbernardes merged commit b93c486 into main Feb 18, 2022

mthbernardes deleted the poc-remove-dependency-check branch February 18, 2022 14:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

support multiple vulnerability database strategies (github advisory and dependency-check) #14

support multiple vulnerability database strategies (github advisory and dependency-check) #14

mthbernardes commented Feb 16, 2022 •

edited

Loading

support multiple vulnerability database strategies (github advisory and dependency-check) #14

support multiple vulnerability database strategies (github advisory and dependency-check) #14

Conversation

mthbernardes commented Feb 16, 2022 • edited Loading

Pros

Cons

Issues

mthbernardes commented Feb 16, 2022 •

edited

Loading