Introduction for GSoC - Darsh

Darsh Patel darshkpatel at gmail.com
Sun Mar 15 05:47:27 UTC 2020 

Greetings Marcus,
    Let me put some light on what I'm trying to accomplish here, npm is
basically a dependency manager for NodeJS, it allows users to quickly
install libraries and dependencies for their NodeJS Projects. NPM now
provides 'npm audit' which reports vulnerabilities to the user and also
updates to patched versions of those dependencies with 'npm audit --fix',
I've attached a sample report for reference.
[image: npm_audit.png]
The vulnerability information is mostly crowdsourced from
npmjs.com/advisories <https://www.npmjs.com/advisories>

Now coming back to MacPorts, multiple organizations publish CVEs ( Common
Vulnerabilities and Exposures ) which are linked to CPEs
What are CPEs?
CPE stands for Common Platform Enumeration and is "a standardized method of
describing and identifying classes of applications, operating systems, and
hardware devices present among an enterprise's computing assets"
Currently, the US Government maintains a searchable index of CPEs as a part
of NIST.

SInce CPEs come in a standard format   cpe:/ {part} : {vendor} : {product}
: {version} : {update} : {edition} : {language}
for example, a CPE published
<https://nvd.nist.gov/products/cpe/detail/188006?status=FINAL&orderBy=CPEURI&namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aagilebits>on
1password cpe:/a:agilebits:1password:3.0:-:~~~
Can be used to identify that the package 1password
<https://distfiles.macports.org/1password-cli/> is vulnerable ( current
portfile on macports isn't installing the vulnerable pckage )

We can either mirror the database or use the API at nvd.nist.gov to look
for vulnerable ports ( I'd suggest the former ).
Crowdsourcing the data is another way to identify vulnerabilities in
packages, I'd be happy to develop the full stack of a vulnerability
advisory for MacPorts but I believe it would put more pressure on the
maintainers to also moderate the vulnerability advisory.

~Darsh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20200315/23d63f9f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: npm_audit.png
Type: image/png
Size: 70702 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20200315/23d63f9f/attachment-0001.png>

More information about the macports-dev mailing list