forked from intel/cve-bin-tool
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: adding false positives to mismatch data (intel#4245)
Signed-off-by: Meet Soni <[email protected]>
- Loading branch information
Showing
4 changed files
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| purls: | ||
| - pkg:pypi/zstandard | ||
| invalid_vendors: | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # Adding data to mismatch database | ||
|
|
||
| CVE Binary Tool uses a number of sources for vulnerability and risk data. Sometimes these can produce name collision, and to tackle this we've created a `mismatch` | ||
| database. | ||
|
|
||
| This document details the steps for adding data to the mismatch database. | ||
|
|
||
| ## 1. Update `data/` directory | ||
|
|
||
| 1. Make a new file with `namespace/product_name/mismatch_relations.yml` name under the `data/` directory. For example, `pypi/zstandard/mismatch_relations.yml` for zstandard | ||
| from pypi namespace. | ||
| 2. Populate the file with `purl-invalid_vendor` information. | ||
|
|
||
| ```yml | ||
| purls: | ||
| - pkg:pypi/zstandard | ||
| invalid_vendors: | ||
| ``` | ||
| ## 2. Run the populator script | ||
| The [`mismatch_loader`](../cve_bin_tool/mismatch_loader.py) script populates the the mismatch database with the contents of `data/` directory. | ||
|
|
||
| ```python | ||
| python -m cve_bin_tool.mismatch_loader | ||
| ``` | ||
|
|
||
| The default directory is `data/`, and default database file is `cve.db`. | ||
|
|
||
| To use a specific directory, use `--dir` flag: | ||
| ```python | ||
| python -m cve_bin_tool.mismatch_loader --dir directory_location | ||
| ``` | ||
|
|
||
| To use a specific database file, use `--database` flag: | ||
| ```python | ||
| python -m cve_bin_tool.mismatch_loader --database database_file_location | ||
| ``` | ||
|
|
||
| ## 3. (optional) Make pull request of new-found name collision | ||
|
|
||
| If you find invalid relationship, please do following: | ||
|
|
||
| - Fork the [repo](https://github.com/intel/cve-bin-tool) | ||
| - Update the `data/` directory with purl-invalid_vendor information like [this](../data/pypi/zstandard/mismatch_relations.yml) | ||
| - Create a pull request with the details of update. [Reference](https://github.com/intel/cve-bin-tool/pull/4239) |