Skip to content
This repository has been archived by the owner on Apr 15, 2024. It is now read-only.

Vulnerability monitoring/latest lib versioning #41

Open
hrbrmstr opened this issue May 2, 2018 · 3 comments
Open

Vulnerability monitoring/latest lib versioning #41

hrbrmstr opened this issue May 2, 2018 · 3 comments

Comments

@hrbrmstr
Copy link

hrbrmstr commented May 2, 2018

cool idea!

is there a plan for ensuring that this DB refers to non-vulnerable versions of the libraries?

i can assist with that if needed.
@gaborcsardi
Copy link
Contributor

TBH I am not sure how we could do that. It is a lot of work to keep such a DB updated.

@hrbrmstr
Copy link
Author

hrbrmstr commented May 2, 2018

I had a huge # of paragraphs here but removed them. I guess, perhaps, what has me skittish is the hard-coded version #'s more than anything else. That is definitely a path towards a project like this actually fostering the spread of vulns. I realize there is nothing out there that says this project has to care about that.

A suggested alternative is at the end. You already (theoretically) get the latest/"secure" libs with the way DEB/brew/RPM are specified (provided folks ensure they keep current). For Windows, point to the distribution URL and not specific version #'s. Does it mean more work for the end-user? Sure. Does it reduce efficacy of automation based on this pkg on Windows system. Yes. But, it also doesn't foster the proliferation of vulnerabilities, esp on a platform that doesn't need help being terribly insecure.

{
  "libxml2": {
    "sysreqs": "/libxml2/",
    "platforms": {
      "DEB": {
        "runtime": "libxml2",
        "buildtime": "libxml2-dev"
      },
      "OSX/brew": null,
      "RPM": "libxml2",
      "Windows": {
        "deps": [
          {
            "zlib": {
              "32bit-src-loc": "ftp://ftp.zlatkovic.com/libxml/",
              "64bit-src-loc": "ftp://ftp.zlatkovic.com/libxml/"
            }
          },
          {
            "iconv": {
              "32bit-src-loc": "ftp://ftp.zlatkovic.com/libxml/",
              "64bit-src-loc": "ftp://ftp.zlatkovic.com/libxml/"
            }
          },
          {
            "zlib": {
              "32bit-src-loc": "ftp://ftp.zlatkovic.com/libxml/",
              "64bit-src-loc": "ftp://ftp.zlatkovic.com/libxml/"
            }
          }
        ]
      }
    }
  }
}

@gaborcsardi
Copy link
Contributor

gaborcsardi commented May 2, 2018
edited
Loading

Yes I agree. sysreqsdb is not actively used on windows, though, exactly because of the reason that it is hard(er) to automate installation. So for now, this is largely theoretical.

Maybe what might be feasible is somehow cross-referencing a vulnerability DB. Do you know some such DBs that have an API, and we could refer to them?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hrbrmstr @gaborcsardi