Vulnerability Data

How to import vulnerability data in the Eclipse Steady backend

TL;DR: There is nothing to do, it's all automated :-)

When you deploy Eclipse Steady using Docker, not only the vulnerability data from project KB is automatically imported, but it is also periodically updated so that any new vulnerabilities are imported automatically into your Eclipse Steady backend.

If you want to customize the mechanism whereby vulnerabilities are imported or if you just want to learn more about it, please refer to the dedicated technical documentation.

Why code-level vulnerability data are needed

The code-level vulnerability analysis performed by Eclipse Steady is based on the concept of change list, a set of constructs (e.g., methods) that are changed to fix a given security vulnerability. The vulnerability detection capabilities of Eclipse Steady rely on this concept: an artifact (e.g. a library) is considered to be affected by a vulnerability if it contains the constructs that were changed to fix a vulnerability.

A positive consequence of this approach is that, once the change list for a vulnerability has been created and added to the database, one can immediately determine if any of the applications scanned in the past are potentially impacted by this new vulnerability, no need to re-run the analysis for each application!

Hence, if one considers Eclipse Steady as a powerful machine, then vulnerability data are the fuel, since Eclipse Steady can only detect and assess vulnerabilities if they are present in its vulnerability database.

The fix commits for hundreds of vulnerabilities that affect Java and Python open source projects are mantained in a dedicated repository (project "KB") that focuses on fostering a community-based approach to gathering and maintaining a comprehensive knowledge base.

Eclipse Steady automatically imports data from project KB, so in typical scenarios you do not need to do anything for it to work.

Contributing to the vulnerability database

In this page you will find information about how to contribute vulnerability information to project KB.

How to list the vulnerabilities that are currently available in your instance of Eclipse Steady

Assuming that Eclipse Steady is deployed on http://localhost:8033, you can list of the vulnerabilities saved in the database of your installation via this endpoint: http://localhost:8033/backend/bugs

Detailed information for a given vulnerability can be obtained using the following link http://localhost:8033/backend/bugs/<foo> (where <vuln_id> has to be replaced by a real vulnerability identifier).