Add support for enriching vulnerability information with a more detailed request

[maierthomas]

Issue by bs-jokri
Monday Oct 09, 2017 at 10:53 GMT
Originally opened as sw360/sw360portal#623

---

From @maxhbr on July 5, 2016 7:46

The cve-search api request api/cve/:cve returns a vulnerability with more information, i.e.

• a title,
• clear names for the products in the vulnerable configuration and
• the CAPEC data, which describes ways to use weaknesses and countermeasures.

The backend implementation of this should be easy.

This could be done

• automatically (and asynchronous) when a vulnerability detail page is visited
• automatically in batches
• on demand, i.e. when a button is pressed

Copied from original issue: bsinno/sw360#225

[maierthomas]

Comment by bs-jokri
Monday Oct 09, 2017 at 10:53 GMT

---

From @maxhbr on April 28, 2017 11:51

The issue https://github.com/bsinno/sw360/issues/209 is included here.

Text from #209 is:

At the moment, the CVE ID is used as external id and as title for the vulnerabilities that have been found by CVE search.

Another possibility would be to use titles that are contained in the vulnerability property cveFurtherMetaDataPerSource, which is usually filled for vulnerabilities found by CVE search. Here, meta data of different sources is stored. Some sources also provide a title as part of this meta data.

The suggestion is to determine a ranking of the sources of the meta data and use the title of the highest ranked source providing a title.

[blaumeiser-at-bosch]

Obsolete