New Feature: Download VulnDB Vulnerabilities Without NVD Matches #185
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…matches To prevent duplicates in Dependency-Track, this update introduces the ability to download vulnerabilities from VulnDB that lack NVD matches. This helps fill the gap in NVD reports by ensuring only unique vulnerabilities are processed. New Option: --mirror-vulnerabilities --no-nvd-additional Details: - Utilizes the VulnDB property `nvd_additional_information`. - Checks if the `nvd_additional_information` array size is 0 to filter vulnerabilities without NVD matches. Signed-off-by: Andres Tito <[email protected]>
The previous condition used `&&` (AND), causing the default mirroring behavior to trigger even when only one feed option was specified. This led to unexpected behavior where all feeds were mirrored despite a valid single feed selection. Updated the condition to use `||` (OR), ensuring the default behavior only occurs when *none* of the feed options (`--mirror-vendors`, `--mirror-products`, `--mirror-vulnerabilities`) are specified. This change prevents unnecessary mirroring and ensures the specified feed options are respected. Signed-off-by: Andres Tito <[email protected]>
Signed-off-by: Andres Tito <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Feature:
Why this is important:
We are implementing this to specifically target gaps in NVD reports. Vulnerabilities from VulnDB that are not matched to a CVE provide additional and valuable information, helping us fill in areas where NVD reports may be incomplete or lacking.
Fix: Correct Logical Condition for Default Feed Mirroring
Resolves an issue where specifying only one mirroring option (--mirror-vendors, --mirror-products, or --mirror-vulnerabilities) incorrectly triggered the default behavior of mirroring all feeds.
Updates the condition to use || (OR), ensuring default mirroring occurs only when none of the options are specified.