> Network lookup: By default, the plugin synchronizes a local h2
> with the canonical database hosted on victi.ms. The sync is
> differential. At the moment, the initial sync is > 50MB and could take a
> minute or two.
50MB? Holy meatballs... is that a simple text listing of compromised
GAVs? If so, that is truly terrifying.
At the moment the DB has 349 entries, so each entry is on average 140 KB. The data
consists of individual checksums for each class file in the known-vulnerable JAR (actually
it is more than just a checksum, the class is pre-processed to remove compiler marks and
to resolve lookup table entries, but that is a whole other topic). This enables us to
identify various builds from the same source. Say for example foobar 1.2 is vulnerable,
and we generated a database entry for Red Hat's internally built copy of foobar 1.2.
The same entry should also catch a rebuild of foobar 1.2 using a different JDK, the
upstream bits, the maven central bits and a superset JAR that includes foobar,
foobar-thing and foobar-otherthing all packed together in foobar-all.jar.