Freshness of this advisory-database #163
Comments
|
We have automation that runs hourly but unfortunately requires a few things to go right for the import to happen automatically. However, we only pull right now from the CVE database. Perhaps we should be pulling from the GitHub advisory database as it seems more straightforward to grab PyPI-specific advisories from there since we're not doing "CPE matching" at that point? |
|
Basically we're bounded by the CVE database, so until a CVE record is published we can't scrape it. In this case GHSA was much faster. The record you're mentioning is published now, took some time though: https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-192.yaml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It looks like some of the advisories are missing in this repository. For example, listing of advisories for urllib3 (which is 1 year old) does not state GHSA-v845-jxx5-vc9f. How often does this advisory-database get refreshed? Also, is the OSV API considered to be more reliable/fresh source of advisories? I see the mentioned urllib3 advisory was assigned by GitHub, will it eventually land here? Thanks.
The text was updated successfully, but these errors were encountered: