Third Party Verification - CVE Checks from API #22
Description
This standalone application is intended to check for disclosed vulnerabilities for a given package and release based on available CVE data. Example APIs and related resources are listed here, but are not considered to be specific requirements for the final design of the application, provided its objectives are well met.
As described in CVE Checks:
- Check published CVE lists for package using available APIs
- Patchstack API
- Snyk Vulnerability Database
- WPVulnerability Database API free API; Javier Casares & other contributors
- OpeCVE (docs) self-hosted or SaaS app to monitor CVEs
- Wordfence Intelligence / API Docs
- Prototype CVE Labeller
- WP-CLI Vulnerability Scanner (10Up) (Supports WPScan/WP Vuln DB, Patchstack, WordFence Intelligence
- Check time from exposure to patch for past CVEs
- Append results to fair-forge-meta per spec
Resulting output to STDOUT is fine, can be piped where we need it later. Output format should be along these lines: