greysteil

greysteil

Creating a public vulnerabilities database

I’ve been looking for an open-source database of Elixir vulnerabilities, similar to The Ruby Advisory Database, The RustSec Advisory Database, or The PHP Advisory Database. As far as I can tell, there isn’t one for Elixir yet.

Assuming I’m not missing an existing one, would people be up for helping me maintain an Elixir one? I built Dependabot, and want to create a DB for vulnerabilities so that it can immediately create and tag security-related PRs in the same way it does for other languages (details here).

Most Liked Responses

ericmj

ericmj

Elixir Core Team

There is a Google Summer of Code proposal project [1] for adding features to Hex that will allow users to report security vulnerabilities, maintaining a database of confirmed vulnerabilities, and displaying the reports on the hex.pm website and CLI tooling. I have talked about this in the past [2] and I hope it can work similar to NPM’s feature set for reporting and curating vulnerabilities that @kitplummer linked to.

[1] Home · erlef/gsoc Wiki · GitHub
[2] https://forum.elixirforum.com/t/create-hex-pm-vulnerability-disclosure-feature/15905/7

greysteil

greysteil

Happy to help with anything on the database, be that:

  1. keeping merging PRs as/when folks submit them to the database
  2. add additional maintainers to the database (after auditing their GitHub account, of course)
  3. transferring the database to another namespace, if folks want

When I started the database I was building Dependabot, which was directly consuming from it. Since then, Dependabot got acquire by GitHub, and I ended up working on all things related to code scanning there. Dependabot still consumes the database though :slight_smile:

Longer term, I’d love to see the database become part of GitHub Advisory Database · GitHub. That DB

  • is licensed under Creative Commons Attribution 4.0, which I think is acceptable
  • is easy for maintainers to contribute to (for supported languages, which don’t yet include Elixir) and linked up to a flow where GitHub will issue CVEs when required/desired (which is already supported for Elixir)
  • receives dedicated curation (we have folks at GitHub who are paid to maintain it and to review all entries in the NVD for missing entries)

We’re not there quite yet on adding support for Elixir to GitHub Advisory Database · GitHub - the blocker on GitHub’s side is having our curation tooling and team in a place where they can take on new languages. In the meantime I’m more than happy to keep doing the right thing on GitHub - dependabot/elixir-security-advisories: Old database of Elixir security advisories before the GitHub Security Advisory DB supported Hex / Elixir. · GitHub.

griffinbyatt

griffinbyatt

I think a vulnerability database would be great as a standalone project. If you (or anyone) ends up creating one, I’m sure it would end up as a Sobelow integration :slight_smile:

Where Next?

Popular in Discussions Top

jswny
I would like to better understand what the advantages/disadvantages of umbrella applications are compared to structuring your app as as s...
New
Donovan
Hello everyone, I’m so glad to have discovered this awesome community. Thanks for creating it! This is my second post, and apologies for...
New
blackode
Elixir Upgrading is so Simple in Ubuntu and It worked for me Ubuntu 16.04 git clone https://github.com/elixir-lang/elixir.git cd elixir...
New
WolfDan
After doing a port from a c++ library to my project in phoenix I’ve seen that I need a faster way to run this algorithm and I found this ...
New
sashaafm
Piggy backing a bit on @dvcrn topic BEAM optimization for functions with static return type?, I’ve been trying to understand in a deeper ...
New
chuck
Let me start by stating an assumption: Phoenix is a great approach to building REST APIs. There are many reasons for this, but I will ass...
New
marciol
Please, let me know if this kind of discussion already took place in another topic . Hi all, how do you consider if is better to build ...
New
hazardfn
I suppose this question is effectively hackney vs. ibrowse but we are at a point in our project where we have to make a choice between th...
New
tomekowal
Hey guys! I want to create a toy project that shows a chart of temperature over time and updates every 5 seconds. I feel LiveView is per...
New
scouten
I’m looking for a host for the server part of a small (personal) side project that I’m working on. It’s currently written in Node.js and ...
New

Other popular topics Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
chrismccord
As promised, the first release candidate of Phoenix 1.3.0 is out! This release focuses on code generators with improved project structure...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New

We're in Beta

About us Mission Statement