Add mitigations to the DB #1451
Comments
|
Hi @evgenymo, thanks for the suggestion. Can you describe in more detail the mitigation information you would like added to the database? We are not exactly sure what you mean, but we would be happy to consider it. Do you have an example or any data set in mind that has these mitigations? |
|
Hi @tgerla, Sure, let me elaborate a bit. At the very least i was thinking of having:
Would be nice to also have
Here is an example that has most of them: |
|
Hi @evgenymo, thanks for the additional information. In some cases we do get fix version information and we do report it when we have it. For the other kinds of information, we could consider adding it our database. Specifically for Gentoo, we don't support the GLSA database yet but it is certainly something we would consider adding as a Vunnel provider (https://github.com/anchore/vunnel) which would then feed into the Grype database. The other databases we pull from tend not to include additional mitigation information, though. If you are interested in improving Grype's support for Gentoo, let us know and we can help! |
|
Thanks @tgerla I actually used Gentoo as an example of the kind of info i would love to have as specified in my previous reply. To be more specific i'm more interested in a single source of truth such as Grype or NVD that has the info i listed but most importantly are the mitigations for the issues found when scanning. That would help tremendously, it's good to hear to partly cover that but i've looked at the DB and i haven't seen any. Could provide an example of a CVE that has the fix version? or maybe point me in the right direction? As for my main point if you could consider having mitigations for the entire DB i would love to help, as far as i know and have searched around there is no such DB (at least publicly). |
|
dev note: before jumping into implementing we should try to enumerate the set of data sources that have mitigations (both sources we have incorporated today and sources we don't have yet) |
|
I agree with @wagoodman , as far as i saw about 2\3 are missing the fix info while most of them actually have fixes. I couldn't find a good way to handle it automatically and doing them by hand is a huge chunk of time |
What would you like to be added:
Would be great if the mitigations for the vulnerabilities were to be added to the DB
Why is this needed:
Could save the time it takes to pare the CVE to the proper fix
Additional context:
It happens anyway so it makes a lot of sense in adding that to the DB
The text was updated successfully, but these errors were encountered: