greysteil
Creating a public vulnerabilities database
I’ve been looking for an open-source database of Elixir vulnerabilities, similar to The Ruby Advisory Database, The RustSec Advisory Database, or The PHP Advisory Database. As far as I can tell, there isn’t one for Elixir yet.
Assuming I’m not missing an existing one, would people be up for helping me maintain an Elixir one? I built Dependabot, and want to create a DB for vulnerabilities so that it can immediately create and tag security-related PRs in the same way it does for other languages (details here).
Most Liked Responses
ericmj
There is a Google Summer of Code proposal project [1] for adding features to Hex that will allow users to report security vulnerabilities, maintaining a database of confirmed vulnerabilities, and displaying the reports on the hex.pm website and CLI tooling. I have talked about this in the past [2] and I hope it can work similar to NPM’s feature set for reporting and curating vulnerabilities that @kitplummer linked to.
[1] Home · erlef/gsoc Wiki · GitHub
[2] https://forum.elixirforum.com/t/create-hex-pm-vulnerability-disclosure-feature/15905/7
greysteil
Happy to help with anything on the database, be that:
- keeping merging PRs as/when folks submit them to the database
- add additional maintainers to the database (after auditing their GitHub account, of course)
- transferring the database to another namespace, if folks want
When I started the database I was building Dependabot, which was directly consuming from it. Since then, Dependabot got acquire by GitHub, and I ended up working on all things related to code scanning there. Dependabot still consumes the database though ![]()
Longer term, I’d love to see the database become part of GitHub Advisory Database · GitHub. That DB
- is licensed under Creative Commons Attribution 4.0, which I think is acceptable
- is easy for maintainers to contribute to (for supported languages, which don’t yet include Elixir) and linked up to a flow where GitHub will issue CVEs when required/desired (which is already supported for Elixir)
- receives dedicated curation (we have folks at GitHub who are paid to maintain it and to review all entries in the NVD for missing entries)
We’re not there quite yet on adding support for Elixir to GitHub Advisory Database · GitHub - the blocker on GitHub’s side is having our curation tooling and team in a place where they can take on new languages. In the meantime I’m more than happy to keep doing the right thing on GitHub - dependabot/elixir-security-advisories: Old database of Elixir security advisories before the GitHub Security Advisory DB supported Hex / Elixir. · GitHub.
griffinbyatt
I think a vulnerability database would be great as a standalone project. If you (or anyone) ends up creating one, I’m sure it would end up as a Sobelow integration ![]()
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #javascript
- #code-sync
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








