In the context of the listing of known security issues, we need to choose the source we will query to retrieve the CVEs.
Proposed source https://osv.dev/
List of pros:
- the maven ids are computed correctly
- is is possible to query for issues in batch (minimizing the number of outgoing http queries)
- it seems possible to keep using it even if we stop using github for our advisories (see FAQ | OSV)
Known limitations:
- We don’t publish the artifact of xwiki-platform on maven central, it seems to lead to a failure of the impacted versions computation. Until this is fixes, we will not be able to query for a specific version of
xwiki-platform
maven modules. Instead, we will need to request for all CVEs of for a given maven id, and filter for the current version locally.
Other known source with an API: https://nvd.nist.gov/
WDYT?
Related discussions:
- Display security issues directly inside XWiki Standard
- Dashboard for Security issues inside XWiki Standard
Related design page List security issues inside XS (Proposal.ListSecurityIssuesInsideXS) - XWiki