<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font size="+1">Hi Jason,</font><br>
</p>
<div class="moz-signature">Ondrej Zizka, Red Hat Migration Toolkit</div>
<div class="moz-cite-prefix">On 12.6.2017 01:30, Jason Shepherd
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+Bbw+bLi6aZvFnSG-vke-GQRD_EBhnxSuMT9q0yABwPEtf1+w@mail.gmail.com">
<div dir="ltr">Hi Ondrej,
<div><br>
</div>
<div>Sorry for the late reply on this. Stephen and I have been
discussing the Victims project lately and I realised I hadn't
forwarded his feedback to him, so please see his replies to
your feedback below.</div>
<div><br>
</div>
<div>However I think we are going to refocus our efforts a bit
on Victims. OWASP dependency check has become a very popular
project for vulnerability tracking. It's being used by Fabric8
for vulnerability scanning in Openshift.IO at the moment. The
OWASP project is willing to add Victims as a datasource, so I
think we should focus our efforts on that in order to get
their features, and also have some influence on the data in
that tool.</div>
</div>
</blockquote>
Good news!<br>
<blockquote type="cite"
cite="mid:CA+Bbw+bLi6aZvFnSG-vke-GQRD_EBhnxSuMT9q0yABwPEtf1+w@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
<div>One thing that the community are asking for is a change in
licence for the victims-cve-db part of the project, so that's
something that we'll definitely we looking at. Some members
have suggested a CC BY-SA licence. What do you think of that?
Read the discussion here:</div>
<div><br>
</div>
<div> <a
href="https://github.com/victims/victims-cve-db/issues/25"
moz-do-not-send="true">https://github.com/victims/victims-cve-db/issues/25</a></div>
</div>
</blockquote>
I don't know much about licenses, maybe Marek will be able to tell
more. I remember Windup would have a problem with the Java client
lib being licensed under AGPL. Eclipse license would fit.<br>
Regarding the db part and CC BY-SA, I guess someone (Tobias?) would
have to consider.<br>
<br>
Ondra<br>
<blockquote type="cite"
cite="mid:CA+Bbw+bLi6aZvFnSG-vke-GQRD_EBhnxSuMT9q0yABwPEtf1+w@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Jason Shepherd</div>
<div>Product Security</div>
<div><br>
</div>
<div>
<div class="gmail_quote">---------- Forwarded message
----------<br>
From: <b class="gmail_sendername">Stephen Milner</b> <span
dir="ltr"><<a href="mailto:smilner@redhat.com"
moz-do-not-send="true">smilner@redhat.com</a>></span><br>
Date: Sat, Jun 10, 2017 at 4:45 AM<br>
Subject: Re: Victims Java API, data, features<br>
To: Jason Shepherd <<a href="mailto:jshepher@redhat.com"
moz-do-not-send="true">jshepher@redhat.com</a>><br>
<br>
<br>
Replying back to you with details. In the response please do
loop my address :-)<br>
<br>
Inline ...<br>
<span class="gmail-"><br>
On Fri, Jun 9, 2017 at 2:04 AM, Jason Shepherd <<a
href="mailto:jshepher@redhat.com" moz-do-not-send="true">jshepher@redhat.com</a>>
wrote:<br>
><br>
> ---------- Forwarded message ----------<br>
> From: Ondrej Zizka <<a
href="mailto:ozizka@redhat.com" moz-do-not-send="true">ozizka@redhat.com</a>><br>
> Date: Wed, Jun 1, 2016 at 3:09 AM<br>
> Subject: Victims Java API, data, features<br>
> To: Jason Shepherd <<a
href="mailto:jshepher@redhat.com" moz-do-not-send="true">jshepher@redhat.com</a>>,
Windup-dev List<br>
> <<a href="mailto:windup-dev@lists.jboss.org"
moz-do-not-send="true">windup-dev@lists.jboss.org</a>><br>
><br>
><br>
><br>
><br>
><br>
> Hi Jason,<br>
><br>
> (I'm seding 2nd mail to start a new thread, please
ignore the previous one.)<br>
><br>
> I have looked closer at Víctims.<br>
> I have few questions/issues. Could you please help
resolving those?<br>
><br>
> Note: I'm adding a PUBLIC mailing list, Windup
developers. Feel free to add<br>
> some Victims list (is there one?)<br>
><br>
> 1) Hashes are not real checksums<br>
> As someone wrote in <a
href="https://github.com/victims/victims-cve-db/issues/45"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://github.com/victims/<wbr>victims-cve-db/issues/45</a><br>
> the hashes used by Victims are not just SHA512 hashes
of the file content,<br>
> but something else.<br>
> I'd like to be able to either find CVE's by a normal
file content hash, or<br>
> create the Victims hash.<br>
<br>
</span>That's a fair request. For some background, the
reason we recreate a<br>
specific hash<br>
is that different Java implementations create different
bytecode,<br>
resulting in different<br>
hashes. Our hash creator strips out implementation specific
items for creating<br>
and scanning.<br>
<span class="gmail-"><br>
> a) Is there a Java impl?<br>
<br>
</span>Client side there is via <a
href="https://github.com/victims/victims-lib-java"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://github.com/victims/<wbr>victims-lib-java</a><br>
<span class="gmail-"><br>
> b) Could you add the plain SHA512 (or other, I'm okay
with just CRC32) hash<br>
> to the data?<br>
<br>
</span>We could do so. I assume this would be the SHA512 of
the vulnerable jar file.<br>
<span class="gmail-"><br>
> 2) Victims Java client API<br>
><br>
> The Java API doesn't match the needs much.<br>
> From what I can see, it can<br>
> a) Sync with the server<br>
> b) Give me a list of CVE for given SHA512 hash.<br>
><br>
> What I would like to have is:<br>
> * Have some offline data distributed with our app,
provide these data<br>
> * Search the database by Maven coordinates, classes,<br>
> * Get a short description of the CVE and date of
appearance and how/where it<br>
> was fixed<br>
><br>
> Is there a plan for extending the Java API?<br>
> Also I guess not all these are covered in the Victims
database, right?<br>
<br>
</span>You're correct. There is a disconnect between the
victims-cve-db and the hash<br>
database. Folks have been pretty great at submitting items
to the victims-cve-db<br>
but we've gotten very little submissions for the hash db.
Part of me wonders<br>
if it would be more beneficial to combine the two in the
victims-cve-db. Syncing<br>
would then be a ``git pull`` rather than API call. It would
also let<br>
people do PR's<br>
for data inclusion which may be more submitter friendly.
Thoughts?<br>
<span class="gmail-"><br>
> 3) Configuration<br>
> The configuration is done through system properties,
that's not too<br>
> fortunate.<br>
> For instance it doesn't allow to run multiple clients
at once in the same<br>
> JVM.<br>
> Could that be done through an API?<br>
<br>
</span>I don't see why not. However, I think we would need
some help to do that.<br>
<span class="gmail-"><br>
> 4) Data structure<br>
> The data structure of the JSON is not obvious. Is
there some docs for it?<br>
<br>
</span>No, but there should be. Here is some pointers I
threw together:<br>
<br>
<a
href="https://gist.github.com/ashcrow/df238b1cc1e8a2f4bba94a6bb310805e"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://gist.github.com/<wbr>ashcrow/<wbr>df238b1cc1e8a2f4bba94a6bb31080<wbr>5e</a><br>
<span class="gmail-"><br>
> 5) Data storage<br>
> The data are only stored in a database over JDBC.
Could it be simply stored<br>
> in a JSON or XML file? The file is just 165 KB and
not growing too fast, so<br>
> I think rather than bringing an embedded DB as a
dependency, I'd prefer to<br>
> process a XML file into a HashMap or a Lucene index
and use that.<br>
<br>
</span>I added a possible replacement at<br>
<a
href="https://gist.github.com/ashcrow/df238b1cc1e8a2f4bba94a6bb310805e"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://gist.github.com/<wbr>ashcrow/<wbr>df238b1cc1e8a2f4bba94a6bb31080<wbr>5e</a>.<br>
Essentially we'd move to a yaml format which is a combined
version of<br>
the victims-cve-db and the hash<br>
database (which currently sits behind the api). Instead of
syncing<br>
with the API one would sync via git<br>
and pull down the latest changes. PTAL and let me know what
you think.<br>
<div class="gmail-HOEnZb">
<div class="gmail-h5"><br>
<br>
> On 4.4.2016 02:16, Jason Shepherd wrote:<br>
>><br>
>> Hi Ondra,<br>
>><br>
>> The architecture of Victims is such that you
should never need to<br>
>> 'download' the database. The client is designed
to connect to the<br>
>> central <a href="http://victi.ms"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://victi.ms</a> API to get
the latest vulnerabilities.<br>
>><br>
>> That being said, the authors also have a
'backup' of the data in the<br>
>> form of a Github repository, [1]. In fact some
members of the<br>
>> community have built a tool which just uses
this repository, and does<br>
>> not use the API at all. Recently we've built a
tool to rebuild the<br>
>> database from the Github repository, but it
still needs some work,<br>
>> [3].<br>
>><br>
>> [1] <a
href="https://github.com/victims/victims-cve-db"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://github.com/victims/<wbr>victims-cve-db</a><br>
>> [2] <a
href="https://github.com/h3xstream/maven-security-versions"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://github.com/h3xstream/<wbr>maven-security-versions</a><br>
>> [3] <a
href="https://github.com/jasinner/victims-db-builder"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://github.com/jasinner/<wbr>victims-db-builder</a><br>
>><br>
>> Let me know if you need any further
information.<br>
>> Regards,<br>
>> Jason Shepherd<br>
>><br>
>> On Fri, Apr 1, 2016 at 1:38 AM, Ondrej Zizka
<<a href="mailto:ozizka@redhat.com"
moz-do-not-send="true">ozizka@redhat.com</a>>
wrote:<br>
>>><br>
>>> Great to know it goes on, last time I
talked to someone (I think djorm),<br>
>>> he<br>
>>> said the development was stagnant.<br>
>>><br>
>>> Jason, is there a way to download a single
big file with all data in the<br>
>>> database?<br>
>>><br>
>>> Thanks,<br>
>>> Ondra<br>
><br>
><br>
<br>
<br>
<br>
</div>
</div>
<span class="gmail-HOEnZb"><font color="#888888">--<br>
Thanks,<br>
Steve Milner<br>
<br>
Atomic | Red Hat | <a href="http://projectatomic.io/"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://projectatomic.io/</a> |
<a href="http://commissaire.io" rel="noreferrer"
target="_blank" moz-do-not-send="true">http://commissaire.io</a><br>
</font></span></div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>