Use github advisories as a source instead of NVD #4130
Comments
|
@javixeneize Please point us to comprehensive documentation on using the github advisories as a source of thruth. |
|
Sure. Here is the documentation for the graphql API https://docs.github.com/en/graphql/reference/objects#securityadvisory Some other documentation: https://github.com/github/advisory-database And an issue i did open there to see if a database can be built instead of querying the API for each library - github/advisory-database#30 I am building a SCA tool (Python) using those advisories as a source, and it is working quite well. If you consider to rewrite dependency check in python using github advisories, i will be pleased to take part on it :) |
|
This has been on my list of things todo. However, it would not be a re-write - rather an additional source that could help reduce the FP rate. I do not think we would completely abandon the current search mechanism - just reduce its usage some. I'm still determining a plan around this (and other datasources). A couple of other database include:
|
|
yeah, i agree, the problem is with java mainly, i havent seen the same issue in other technologies. |
Hi
There are lots of false positives in Dependency check because of the data pulled from NVD. I have been querying NVD database and it is a nightmare to try to flag a vulnerability against a given library and version, i think this is the root cause for the false positives.
My recommendation is to use github advisories as the database source (if the license of the database allows you to do that). This data is much more clean and reliable and i think false positives will disappear, making this a much better tool.
Thanks
The text was updated successfully, but these errors were encountered: