Support C/C++ #82
Comments
|
@andrewpollock this would be the logical next step after your work on the NVD coverage! |
|
I don't know if this is the right place for this input. If not, please direct me somewhere else :). The point of osv.dev#561 seems to be:
For our use case, the input of file hashes would be rather cumbersome. We know our dependencies and their versions – the main problem is effectively mapping these to CPEs. Since the input is not a package repository, but simply official releases / tags, there is no clear global identifier for the library. Having an API that takes the library name or source repository URL as input and returns a CPE would be really helpful – or does this already exist? |
|
Hi @Chronial, Not at the API stage yet (or currently planned, but let's talk more). I've done some preliminary CPE Dictionary parsing looking for potential OSS repositories. Check out https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/cperepos#readme for what exists today. That's essentially CPE -> repository. There's nothing stopping that being reversed... If you can elaborate a bit more on your use case, as my work on importing relevant CVEs from the NVD evolves, we can determine the appropriateness of turning this into an API. |
|
@andrewpollock any rough ETA for C/C++ support? Thanks much for working on this btw. |
|
@varun-endor it's an end-of-year goal overall, but per google/osv.dev#783 (comment) I'll break this down into some milestones for interested parties to follow along on. |
|
The NVD database part is out now! The remaining bits for OSV-Scanner support are: |
|
I think we can call this "done"? |
Connect osv-scanner with
To provide C/C++ dependency detection and vuln management.
The text was updated successfully, but these errors were encountered: