Vulnerability Monitoring
Add vulnerability monitoring capabilities to CRA Tool.
| Status | Open |
| Type | Closed-Source Collaborative |
| Eligible Courses | SEMI |
| Scope | 5 ECTS |
| Use of Artificial Intelligence | Allowed |
| CLA Required? | Yes |
Summary
While CRA Tool can already detect vulnerabilities in projects by cross-referencing the OSV database, this represents only a one-time snapshot. For released software, it is necessary to continuously monitor dependencies for new vulnerabilities throughout the software's lifetime. Additionally, it's important that users are notified when new vulnerabilities are detected.
This contribution will implement a scalable vulnerability monitoring system based on the current implementation. When new security advisories are synced from OSV to the local database (already in place), the dependencies of existing projects should be cross-referenced. For scalability, this process should reuse the results of previous cross-referencing runs.
When new critical security advisories were found (based on CVSS), users who enabled vulnerability notifications should be notified via email. Additionally, users can configure a weekly notification summary, giving an overview of vulnerabilities in their projects.
Expected Tasks
- Go through the existing vulnerability and legacy monitoring code
- Create detailed GitHub issues for this work
- Define an implementation timeline in the GitHub Project Roadmap
- Implement the solution and adapt your plan if necessary
- Write a brief project report (1-2 pages max)
Technologies
You should be familiar with the following programming languages:
- Java
You should be familiar with the following frameworks/libraries:
- Spring Boot
Knowing the following concepts will be helpful:
- CVE, OSV-Schema
- CVSS
- GitHub Security Alerts / Dependabot