support for GIT ecosystem via rest API #2040
Replies: 3 comments
-
Can I ask what use case you have in mind searching with the GIT ecosystem? Currently there is nothing to actually search for at the moment with a git ecosystem currently, as a Git repo does not have a package name, only a repo url. If you want to know whether a specific repo has affected vulnerabilities, currently the way to do so is to do a commit query. Something we could add is to allow you to search by repository URLs, e.g. give me all vulnerabilities for this git repo, would this help? |
Beta Was this translation helpful? Give feedback.
-
Thanks for your reply Rex. The use case is to monitor vulnerabilities for a series of specific repos used by a java application I understand the meta data is a bit limited, e.g. How I would use this is to keep track of which CVE had been reviewed/actioned and be notified of new CVE. I guess the only other consideration is whether there might need to be say a date filter on ModifiedDate to avoid an API which returns the entire history with every call. Thanks |
Beta Was this translation helpful? Give feedback.
-
So our intended workflow is to use either query by:
This way you don't need to filter by ModifiedDate, we will only show vulnerabilities that affect the specific version you are querying. So if you are using a list of repositories, you can just query for the commit you are using, or query the list of package names/versions you are using. (If you specify all the packages used by your java application in a pom.xml file, you might be interested in using Does these options cover your use case? |
Beta Was this translation helpful? Give feedback.
-
When calling the rest API with ecosystem "GIT" (or "Git") the API returns with:
{"code":3,"message":"Invalid ecosystem."}
No issues when using other ecosystems such as the PyPI sample.
Searching via the browser interface appears to support CVE's sourced from the GIT ecosystem.
Is this a missing feature in the restful API or is the deployed code servicing the restful API not up to date with all the latest CVE feeds ?
Thanks
Beta Was this translation helpful? Give feedback.
All reactions