-
Notifications
You must be signed in to change notification settings - Fork 231
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate security reports with OSV.dev #4052
Comments
Greetings from OSV 😄 OSV.dev's onboarding process in a nutshell (actionable feedback welcome):
Known onboarding rough edges:
We're here to help If you have any questions, please feel free to reach out. If you'd like to discuss interactively, the best preexisting place to catch us is in the OpenSSF Vulnerability Disclosures Working Group monthly call |
Hi @taraspos @andrewpollock 👋 Before moving forward, I'd like to check with you if the data in the security reports Artifact Hub collects would actually be useful to OSV. Let me share some thoughts (and challenges we've encountered 😅) with you to see what you think 🙂.
There are some other points worth mentioning as well, but I think I'm extending too much 😅 I thought OSV was more focused on collecting vulnerabilities at a lower level, vulnerabilities in the building blocks, instead of in wide aggregations made by another tool. But if you find value in the information we're collecting for your use case we'd be happy to work with you and make it happen 🙂 |
Hi @tegioz! Thanks for your reply. All the points you've raised make sense. I'd be interested to hear @andrewpollock's opinion on this topic.
In my case, aggregated data is exactly what I miss in the OSV database, and that's what Artifact Hub provides and does well. While UI ArtifactHub provides is great, my main use case is that I want Renovate Bot to be able to tell me if upgrading certain container images and helm charts fixes certain vulnerabilities (and then potentially group updates by priority, etc). Renovate bot is already integrated with OSV12 and can fetch vulnerability data for certain package types, but not container images or helm charts. If we find that integrating ArtifactHub with OSV is not the right direction, we should then think about integrating Renovate Bot with ArtifactHub directly. (cc @rarkins @viceice) Footnotes |
Is your feature request related to a problem? Please describe.
OSV.dev is OpenSource vulnerability database integrated with various tools (like Renovate Bot for example). Currently it lacks data about container image/helm chart vulnerabilities.
Artifacthub.io runs trivy to scan container images1, would be great to be able to see vulnerability information collected by Artifacthub in osv.dev.
Describe the solution you'd like
OSV.dev has multiple ways to contribute vulnerability information 2. ArtifactHub could publish results of trivy scans to the database. As per REST API datasource example, implementation will require two new endpoints, one to list all available CVEs and one to get CVE details:
Vulnerabilities should be formatted in OSV Schema3
Describe alternatives you've considered
N/A
Additional context
Footnotes
https://artifacthub.io/docs/topics/security_report/ ↩
https://google.github.io/osv.dev/faq/#can-i-contribute-data ↩
https://github.com/google/osv-scanner/blob/main/pkg/models/vulnerability.go ↩
The text was updated successfully, but these errors were encountered: