Add Pagination Support for Retrieving All CVEs API #357
Conversation
|
If you want to get all CVEs, I think you can do it by combining it with existing functionality if you can get the CVE ID list. Still want to page and retrieve CVEs? |
|
|
If you want to retrieve all the data and do something with it, I think it is better to create a local clone using go-cve-dictionary fetch instead of going through server mode. I don't know the use case where you want to use pagination to retrieve all items from the DB. |
| @@ -67,6 +69,26 @@ func getCve(driver db.DB) echo.HandlerFunc { | |||
| } | |||
| } | |||
|
|
|||
| func getAllCves(driver db.DB) echo.HandlerFunc { | |||
| return func(c echo.Context) error { | |||
| cveDetails, err := driver.GetAll() | |||
There was a problem hiding this comment.
| cveDetails, err := driver.GetAll() |
| limit, _ := strconv.Atoi(c.QueryParam("limit")) | ||
| pageNum, _ := strconv.Atoi(c.QueryParam("page_num")) |
There was a problem hiding this comment.
Please handle the errors.
| ctx := context.Background() | ||
|
|
||
| // Get all keys for CVE details | ||
| keys, err := r.conn.Keys(ctx, fmt.Sprintf(cveKeyFormat, "*")).Result() |
There was a problem hiding this comment.
Don't use Keys
https://redis.io/commands/keys/
Since this part is executed every time a page is requested, I think it would be more efficient to fetch all the CVE ID list at once and then request them separately. |
|
@MaineK00n , @mghotz , my 2 cents, here is one of my daily use cases, and my performance bottleneck. I audit full embedded products, built from sources (e.g. Linux or Android devices). As of today for example, a Linux kernel 4.14.335 released this week yields 824 CVE from go-cve-dictionary (of course, in the end 95% are false positives for various reasons, but that's another story). To get these 824 CVE, my go-cve-dictionary query takes more than 10 minutes to complete. Note that on a full product, I of course not only have a kernel to query for, but also dozens of OSS libraries. I don't think my performance problem here would be solved by pagination, nor by getting the CVE Ids and then retrieve them if I wish: the bottleneck is that the CPE to CVE matching takes a very long time. For example, try querying o:linux:linux_kernel < 6.5.3. A real world CVE example that would match could be https://nvd.nist.gov/vuln/detail/CVE-2023-45871, but you will get hundred more. Even worst, try with no version boundary at all, with cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*, such as in https://nvd.nist.gov/vuln/detail/CVE-2023-2156. |
|
@jbmaillet There are two things I'm thinking about with this PR. |
I implemented a new API feature for retrieving all Common Vulnerabilities and Exposures (CVEs) with pagination support. This enhancement allows users to fetch CVE data in a paginated format, making it more efficient and user-friendly, especially when dealing with large datasets.
I manually tested the API to ensure it handles various real-world use cases effectively.