Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ambiguous Prospector vulnerability information pulling mechanism #374

Open
JafarAkhondali opened this issue Jul 12, 2023 · 1 comment
Open
Labels

Comments

@JafarAkhondali
Copy link

Looks like the use_nvd option is never used in the source code:

use_nvd: bool = True,

And then the nvd is only used in the backend router?
Is there anyway to feed a raw statement or multiple descriptions (either structured or unstructured) to Prospector so it doesn't request them online, and retrieve fixed commits?

@copernico
Copy link
Contributor

Hi, I guess your are right, this part of the code was left in an inconsistent state after some changes that were implemented in the past few months.

The original plan (which is still valid, although it is not reflected in the code currently) is to allow the user to provide a description instead of fetching it from the NVD. Because we seldom used this feature in our own work, this was sort of forgotten.

Unfortunately I'm quite busy at the moment on other parts of the project, especially finalising some empirical evaluation whose side- effect will hopefully be a few hundred more vulnerability statements, so I can't commit to providing a solution in the short term.
However, if you would like to contribute by fixing this broken feature, that would be very appreciated (and I could support by providing some guidance, if needed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants