[windup-dev] Victims Java API, data, features

Ondrej Zizka ozizka at redhat.com
Tue May 31 13:09:29 EDT 2016 


Hi Jason,

(I'm seding 2nd mail to start a new thread, please ignore the previous one.)

I have looked closer at VĂ­ctims.
I have few questions/issues. Could you please help resolving those?

Note: I'm adding a PUBLIC mailing list, Windup developers. Feel free to 
add some Victims list (is there one?)

1) Hashes are not real checksums
As someone wrote in https://github.com/victims/victims-cve-db/issues/45
the hashes used by Victims are not just SHA512 hashes of the file 
content, but something else.
I'd like to be able to either find CVE's by a normal file content hash, 
or create the Victims hash.
a) Is there a Java impl?
b) Could you add the plain SHA512 (or other, I'm okay with just CRC32) 
hash to the data?

2) Victims Java client API

The Java API doesn't match the needs much.
  From what I can see, it can
    a) Sync with the server
    b) Give me a list of CVE for given SHA512 hash.

What I would like to have is:
* Have some offline data distributed with our app, provide these data
* Search the database by Maven coordinates, classes,
* Get a short description of the CVE and date of appearance and 
how/where it was fixed

Is there a plan for extending the Java API?
Also I guess not all these are covered in the Victims database, right?

3) Configuration
The configuration is done through system properties, that's not too 
fortunate.
For instance it doesn't allow to run multiple clients at once in the 
same JVM.
Could that be done through an API?

4) Data structure
The data structure of the JSON is not obvious. Is there some docs for it?

5) Data storage
The data are only stored in a database over JDBC. Could it be simply 
stored in a JSON or XML file? The file is just 165 KB and not growing 
too fast, so I think rather than bringing an embedded DB as a 
dependency, I'd prefer to process a XML file into a HashMap or a Lucene 
index and use that.


Thanks,
Ondra






On 4.4.2016 02:16, Jason Shepherd wrote:
> Hi Ondra,
>
> The architecture of Victims is such that you should never need to
> 'download' the database. The client is designed to connect to the
> central http://victi.ms API to get the latest vulnerabilities.
>
> That being said, the authors also have a 'backup' of the data in the
> form of a Github repository, [1]. In fact some members of the
> community have built a tool which just uses this repository, and does
> not use the API at all. Recently we've built a tool to rebuild the
> database from the Github repository, but it still needs some work,
> [3].
>
>     [1] https://github.com/victims/victims-cve-db
>     [2] https://github.com/h3xstream/maven-security-versions
>     [3] https://github.com/jasinner/victims-db-builder
>
> Let me know if you need any further information.
> Regards,
> Jason Shepherd
>
> On Fri, Apr 1, 2016 at 1:38 AM, Ondrej Zizka <ozizka at redhat.com> wrote:
>> Great to know it goes on, last time I talked to someone (I think djorm), he
>> said the development was stagnant.
>>
>> Jason, is there a way to download a single big file with all data in the
>> database?
>>
>> Thanks,
>> Ondra

More information about the windup-dev mailing list