Start ingesting NuGet Vulnerabilities
Problem to solve
We want to offer Dependency Scanning for NuGet, but first we need to have vulnerabilities related to NuGet packages in the database so that the scan can find items.
Intended users
Proposal
This issue is focused on adding NuGet support to gemnasium-db
. We are starting with the addition of advisories related to 3rd party packages because supporting them does not require any changes to the structure of gemnasium-db
or the schema (MVC).
What does success look like, and how can we measure that?
First nuget-related advisories are present in gemnasium-db
.
What is the type of buyer?
Links / references
Implementation Plan
-
Create MRs related to NuGet packages -
Update the Yaml schema validation CI-job that is running on gemnasium-db
to validate incoming NuGet advisories -
Update gemnasium-db
documentation with respect to the newly added package type
@NicoleSchwartz
Product Management -- no Release Post - until scanning and more vulns - reach out direct via account managers.
Current state
Alpha - limited vulnerabilities are ingested and we are working toward ingesting new ones as they arrive but we need users to move forward with NuGet dependency scanning and start providing feedback to help us move from alpha.
Edited by Julian Thome