Currently, User and other deveplors don’t have way to know the CVEs that are existing or resolved in openEuler community. other more the securtiy group memebers also do not have the method to report and trace the CVE bug state.
As it may be a big system which will relate to gitee, mail list(because the report way is mail-list), we’d consider to split the whole system as several stages. this spec only for the first stage. that will only provide a way to import and explore the CVEs.
Users&Developers: List all the CVEs that related to this community. Search CVEs by condition.
Security Members: Import the full list of information with excel style to update all the state of CVEs.
Add a seperated repository underhttps://gitee.com/openeuler with name cve-management to house all code of the data management and the data import tool. let’s name it as backend, these code will manage all the CVEs’ state, provide the API to list CVE with page navigator, provide a local tool to import the datas.
Add a lone page to show the state of CVEs, let’s name it as front system. this page will call the backend API to get datas and show them in html style.
Please refer to API for more detailed, currently we only expose the query API. for data importing, only consider to use internel data import tool instead of restful api.
front-end --> website servers
|
| {restful-api}
|
backend
|
|
database
front page will be part of website. backend will be a service running in a container pod upon kubernetes cluster, as to use the same domain “openeuler.org” , we’d proxy the backend service into website server. for nginx configuration will be:
location /cve/ {
proxy_pass http://<server-ip>:<port>
}
database is used to store the CVE information on huaweicloud. data is import by a special tool.
As currently only expose the query API, its data would be under safe place.
No impact on performance.