Use CPE dictionary to improve recall on NVD API detector #274
Labels
enhancement
New feature or request
needs-triage
applied to all new customer/user issues. Removed after triage occurs.
Comments
luhring
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
Today, we search NVD for CVEs by constructing a CPE per package, and using that CPE for CVE lookups. The approach to this CPE generation was taken from Alpine's secfixes-tracker project, and extended slightly in some areas. Today the CPE generation code is here: https://github.com/wolfi-dev/wolfictl/blob/main/pkg/vuln/nvdapi/detector.go#L331-L440
This code helps the
wolfictl adv discovercommand find new CVEs for our packages. While the precision of today's implementation is high, the recall is unverified and probably on the low side.Idea
We could probably greatly improve recall by examining NVD's CPE Dictionary and trying to find dictionary entries that correspond to Wolfi packages. We could treat any hits in the dictionary as authoritative CPEs and avoid generating our own CPEs in that case.
We could extend today's CPE approach by manually reviewing the CPE dictionary, and that alone would be a win.
Bonus: It would be even cooler if we can automate this dictionary lookup, either by embedding some form of the dictionary in
wolfictl, or by havingwolfictlfetch and parse the dictionary at runtime.The text was updated successfully, but these errors were encountered: