To infer vulnerability advisories for existing conda-forge packages, we need some smarts, as there are no such data source available that is open and public data.
Here is what we would need to do at a high level
- resolve (jinja?) and parse the meta YAML for the 27K recipes. (Alternatively, we can also use the "rendered recipe" as stored in a package archive. They are in the info folder of the packages and don't contain any Jinja tags anymore.
- infer a PURL using the packageurl-python library
- using that PURL, lookup in vulnerablecode, get any vulnerability advisories, and get a fixed version if any https://public2.vulnerablecode.io/packages/v2/pkg:pypi/django@6.0.4 (or an API call, or direct data dump and so on)
- eventually also store that data in conda-forge for that version as VEX/CSAF/OSV/CVE
- eventually also attach the conda-forge package to the CVE if there is such CVE @ mitre (best... conda-forge becomes a CNA @ mitre , also of GNA with GCVE)
- (rinse and repeat 27,000 times, mostly everyday or many times a day). That would a combo of VCIO importer and improver
- eventually push and publish at all the feedstocks?
To infer vulnerability advisories for existing conda-forge packages, we need some smarts, as there are no such data source available that is open and public data.
Here is what we would need to do at a high level