ποΈ [Feature Request]: Implement Vulnerability Database Service for Vulnera PluginΒ #18
Description
The Vulnera dependency scanner currently lacks a vulnerability database to check dependencies against. We need to implement a vulnerability database service that can be queried with package names and versions to return known vulnerabilities. This service should support multiple backends (local database, external APIs) and provide a consistent interface for vulnerability lookups.
π― Goals
- Provide vulnerability lookup functionality for dependency scanning
- Support multiple data sources (local DB, external APIs)
- Offer offline capability with local database fallback
- Ensure fast query performance for large dependency sets
- Maintain data freshness with update mechanisms
π§ Core Interface
# valkyrie/plugins/vulnera/db.py
class VulnerabilityDB(ABC):
"""Abstract base class for vulnerability databases."""
@abstractmethod
async def query(self, package_name: str, version: str) -> List[VulnerabilityInfo]:
"""Query vulnerabilities for a specific package version."""
pass
@abstractmethod
async def query_bulk(self, packages: List[Tuple[str, str]]) -> Dict[str, List[VulnerabilityInfo]]:
"""Query vulnerabilities for multiple packages."""
pass
@abstractmethod
async def update(self) -> bool:
"""Update the vulnerability database."""
passπ Data Sources to Support
Primary Targets:
- OSV (Open Source Vulnerabilities) API - Comprehensive open source database
- NVD (National Vulnerability Database) API - Official CVE database
- GitHub Advisory Database - GitHub's vulnerability data
- Local SQLite or Json cache - For offline operation
β Acceptance Criteria
- VulnerabilityDB interface defined and implemented
- At least 2 data sources supported (e.g., OSV API + local SQLite)
- Bulk query support for efficient scanning
- Caching mechanism to reduce API calls
- Update functionality to keep data fresh
- Comprehensive tests covering all functionality
- Error handling for network issues and data parsing
- Configuration options for API keys and database paths