Should zopen be enhanced to detect vulnerabilities for installed software?

[IgorTodorovskiIBM]

We could invent a new audit function similar to npm audit - https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities

zopen audit

Which could use the https://nvd.nist.gov/ APIs to check for vulnerabilities for a given product/version and recommend upgrading (if a newer version is present).

[MikeFultonDev]

We haven't done anything here yet afaik, but this is a good idea @IgorTodorovskiIBM

[IgorTodorovskiIBM]

This may be a better option: https://google.github.io/osv.dev/.

The API can be called via curl and therefore integrated in zopen pretty easily:

curl -d \
  '{"package": {"name": "curl"}, "version": "7.88.1-10"}' \
  "https://api.osv.dev/v1/query"

There's also an OSV-scanner written in Go: https://github.com/google/osv-scanner

[v1gnesh]

Here's an API for a superset of this, also run by Google - https://deps.dev/

[IgorTodorovskiIBM]

Thanks, the https://deps.dev/ API seems to be more powerful. It looks like it doesn't seem to support C/C++ but it does support Go packages.

[v1gnesh]

Ah, yes. The API docs delegates advisory lookup to OSV but the advisory # is needed.