You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Firstly wanted to say thank you for developing such an amazing tool!
I started to look into #22 and wrote some code (proof of concept and needs tidying) just to demonstrate the possibilities. You can see/run the code on my fork. I just wanted to share the following thoughts/ideas and hopefully get some feedback from you.
The OSS Index Rest API provides two endpoints for accessing a component report (listing known vulnerabilities). Sadly both endpoints involve rate limiting (I don't know the figures off the top of my head) but the authorized endpoint provides a higher limit. You can register and use an email and api token to authenticate each request. See instructions.
The rest endpoint uses a Package Url to identify a dependency. This is the specification and this is Java implementation I used on my fork.
The poc code used unauthorized requests (and quickly ran into issues with rate limiting). I like the discussion of having a default configuration where possibly oss index credentials could be stored.
Example displaying cve ids (didn't make sense to show the "description" as I believe this is intended for html output)
Example displaying reference links (unfortunately the links are quite long)
Example when searching for dependency leads to a direct match
Not sure if you already have a solution in mind, or any preferences on how to display the vulnerabilities? This tool is super useful and I think would really benefit from displaying any known vulnerabilities.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Firstly wanted to say thank you for developing such an amazing tool!
I started to look into #22 and wrote some code (proof of concept and needs tidying) just to demonstrate the possibilities. You can see/run the code on my fork. I just wanted to share the following thoughts/ideas and hopefully get some feedback from you.
The OSS Index Rest API provides two endpoints for accessing a component report (listing known vulnerabilities). Sadly both endpoints involve rate limiting (I don't know the figures off the top of my head) but the authorized endpoint provides a higher limit. You can register and use an email and api token to authenticate each request. See instructions.
Not sure if you already have a solution in mind, or any preferences on how to display the vulnerabilities? This tool is super useful and I think would really benefit from displaying any known vulnerabilities.
Beta Was this translation helpful? Give feedback.
All reactions