Skip to content

Add ability to fetch CVE data from Gitlab

From @mbarbero eclipsefdn/it/websites/eclipse.org#38 (comment 1005030)

As discussed during today's call, we could just use a json file in a private gitlab repo (e.g. http://gitlab.eclipse.org/eclipsefdn/security/known-vulnerabilities). You could use a gitlab token to fetch the data, and voilà.

We will be looking to switch to a Gitlab private repo JSON file instead of the current spreadsheet. While the spreadsheet is easier to maintain, it isn't an ideal way to safely maintain this data. To better enable this, a new mechanism will be needed to fetch Eclipse CVE data to replace the Google Drive binding.

As a first step, we should use a toggle to switch between the services to maintain both solutions until we are ready to switch over. We should be able to do this through the same mechanism used to create the stubbed and default CVE source service, but for the GoogleAPIService. We should also rename the interface to be ManagedCVEService or something similar. This way we can have the GoogleManagedCVEService and GitlabManagedCVEService and have the names make at least some semblance of sense.

Initially, we won't need credentials as we can load a sample version of the document from this repo, but there will be another issue to add the credentials and point the service to the proper repository.

/cc @cguindon

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent