Make VulnerabilitiesFromGitHubAdvisories great

[sourabhsparkala]

VulnerabilitiesFromGitHubAdvisories is not a full-fledge DataProvider

The above Data provider does not handle all the PackageManagers. Also, it doesn't recursively parse through all the types of PackageManagers config files

• pom.xml for MAVEN
• build.gradle for GRADLE
• package-lock.json and package.json for NPM
• yarn.lock and package.json for YARN
• .csproj, .vbproj, .vcxproj, .fsproj, packages.config and .nuspec for DOTNET
• Gemfile.lock, Gemfile and .gemspec for RUBYGEMS
• composer.json and composer.lock for COMPOSER

Hence, we need to generalize how VulnerabilitiesFromGitHubAdvisories is looking for config files and extracting the project identifier

E.g: ecosystem MAVEN and identifier com.fasterxml.jackson.core:jackson-databind for GitHub project FasterXML/jackson-databind

Things to do

• Recursively find all the possible config files associated with the PackageManagers
• Parse through them to get the identifier
• Make sure that the recursive search also finds identifiers of its sub-modules and sub-projects
• The Data Provider must return all possible advisories for all the identifiers found