Git Product home page Git Product logo

Comments (5)

henrikplate avatar henrikplate commented on July 16, 2024 1

Technically, I agree that it'd be much easier to share the vulnerability information in a format that can be imported straight-forwardly into the database.

Until today, we refrained from doing so because of license concerns. PatchAnalyzer computes the abstract syntax trees of the vulnerable methods, thus, sharing such information essentially corresponds to redistributing the code of the respective open source component.

This is probably Ok with the licenses of most of the projects. However, so far we do not collect license information systematically and do not consider it in our workflows.

from steady.

henrikplate avatar henrikplate commented on July 16, 2024

PatchAnalyzer offers the -d option to delete temporary directories. However, it is not advisable to use it for bulk imports, because many CVEs concern the same source code repository, hence, the expensive cloning would be done over and over again. As such, for bulk imports, we still suggest to manually delete the temporary directories.

In the mid-term, we anyhow plan to rework the sharing and import of vulnerability information such that Steady does not need to wrap Git or other VCS clients any more.

from steady.

nasifimtiazohi avatar nasifimtiazohi commented on July 16, 2024

As such, for bulk imports, we still suggest to manually delete the temporary directories.

I am using a VM where storage space is limited.

In the mid-term, we anyhow plan to rework the sharing and import of vulnerability information such that Steady does not need to wrap Git or other VCS clients any more.

Yes, now that I am deleting the repository data after importing each CVE, importing is taking a long time (~12 hours and still running). If the patch-analyzer analyzes patch to determine the location of CVEs (I am assuming), isn't it more viable to have the final data ready and import that at once?

Thanks!

from steady.

nasifimtiazohi avatar nasifimtiazohi commented on July 16, 2024

Thank you so much for taking your time for this clarification!

from steady.

henrikplate avatar henrikplate commented on July 16, 2024

You're very welcome, please close the ticket if you think you're good for the time being.

Cheers, Henrik

from steady.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.