Adding data to mismatch database¶

CVE Binary Tool uses a number of sources for vulnerability and risk data. Sometimes these can produce name collision, and to tackle this we’ve created a mismatch database.

This document details the steps for adding data to the mismatch database.

1. Update `mismatch_data/` directory¶

Make a new file with namespace/product_name/mismatch_relations.yml name under the mismatch_data/ directory. For example, pypi/zstandard/mismatch_relations.yml for zstandard from pypi namespace.
Populate the file with purl-invalid_vendor information.

  purls:
    - pkg:pypi/zstandard
  invalid_vendors:
    - facebook

2. Run the populator script¶

The mismatch_loader script populates the the mismatch database with the contents of mismatch_data/ directory.

    python -m cve_bin_tool.mismatch_loader

The default directory is mismatch_data/, and default database file is cve.db.

To use a specific directory, use --dir flag:

    python -m cve_bin_tool.mismatch_loader --dir directory_location

To use a specific database file, use --database flag:

    python -m cve_bin_tool.mismatch_loader --database database_file_location

3. (optional) Make pull request of new-found name collision¶

If you find invalid relationship, please do following:

Fork the repo
Update the mismatch_data/ directory with purl-invalid_vendor information like this
Create a pull request with the details of update. Reference

Adding data to mismatch database¶

1. Update `mismatch_data/` directory¶

2. Run the populator script¶

3. (optional) Make pull request of new-found name collision¶

CVE Binary Tool

Navigation

Related Topics

Adding data to mismatch database¶

1. Update mismatch_data/ directory¶

2. Run the populator script¶

3. (optional) Make pull request of new-found name collision¶

1. Update `mismatch_data/` directory¶