Comments (5)
Technically, I agree that it'd be much easier to share the vulnerability information in a format that can be imported straight-forwardly into the database.
Until today, we refrained from doing so because of license concerns. PatchAnalyzer computes the abstract syntax trees of the vulnerable methods, thus, sharing such information essentially corresponds to redistributing the code of the respective open source component.
This is probably Ok with the licenses of most of the projects. However, so far we do not collect license information systematically and do not consider it in our workflows.
from steady.
PatchAnalyzer
offers the -d
option to delete temporary directories. However, it is not advisable to use it for bulk imports, because many CVEs concern the same source code repository, hence, the expensive cloning would be done over and over again. As such, for bulk imports, we still suggest to manually delete the temporary directories.
In the mid-term, we anyhow plan to rework the sharing and import of vulnerability information such that Steady does not need to wrap Git or other VCS clients any more.
from steady.
As such, for bulk imports, we still suggest to manually delete the temporary directories.
I am using a VM where storage space is limited.
In the mid-term, we anyhow plan to rework the sharing and import of vulnerability information such that Steady does not need to wrap Git or other VCS clients any more.
Yes, now that I am deleting the repository data after importing each CVE, importing is taking a long time (~12 hours and still running). If the patch-analyzer analyzes patch to determine the location of CVEs (I am assuming), isn't it more viable to have the final data ready and import that at once?
Thanks!
from steady.
Thank you so much for taking your time for this clarification!
from steady.
You're very welcome, please close the ticket if you think you're good for the time being.
Cheers, Henrik
from steady.
Related Issues (20)
- Issues in installing Eclipse steady HOT 2
- Default JSON view breaks the mitigation tab HOT 2
- how can I see/get the AST of a vulnerability HOT 2
- Problems of steady 3.2.0, 3.2.1, 3.2.3 HOT 1
- Problem of steady 3.2.4 HOT 1
- Problems of 3.2.1 and 3.2.5 HOT 2
- eady.shared.util.MemoryMonitor - Memory consumption HOT 1
- Failed: Application context is required to execute goal [APP] HOT 4
- Steady maven plugin is throwing UnsupportedOperationException HOT 3
- how can I delete software item in Eclipse Steady Web Frontend HOT 2
- Some issues regarding the running mode of the Steady database HOT 1
- Steady's vulnerability reports for the com.fasterxml.jackson.core:jackson-databind 2.0.0, 2.6.5, and 2.8.0 projects are completely identical. HOT 3
- Reachable from app (a2c) Fails With Java 17 HOT 9
- how to get potentially or actually executable of vuln. code when scan source code? HOT 3
- Where is the output result of Static Analysis: Potential execution of vulnerable code HOT 1
- How to run dynamic analysis successfully HOT 2
- Publish `rest-lib-utils` to mvn repository HOT 3
- Entry point a2c HOT 9
- The backend is in maintenance mode. Please come back later. HOT 2
- All constructs of an application are set as entry points in A2C goal HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from steady.