During this time, all of the existing client programs would also have been down. We’ve received little traffic on the topic during this time, so feel that our client base has probably dwindled to near zero.
However you need not despair, because we’re going to take this opportunity to improve the Victims project. The core will remain the same, but we’re going to change the way the client program consume the web service.
In the previous architecture client programs would download the entire database then do a scan with the local copy. However this was a slow because an index was not used on the client side database. We could add one, but we’d need to rebuild it for each new client. In the new architecture we’ll keep to one server side database, which we can index to improve the speed of scans. Therefore scans will be done on the server side.
Our first client will be an OpenSCAP SCE script. We choose OpenSCAP because it’s designed to scan systems, such as a Docker container, and it can also leverage Oval data published by Red Hat. We’ll revisit the Maven plugin after that. In the meantime however you can use Phillipe Arteau version of the Maven plugin.
The core service-side project will be a GO Lang project named victims-api. This webservice will watch victims-cve-db for changes, then delegate to victims-java-service and maybe other services to produce a hash, which it will store in the database. The victims-api service will also handle searching for hashes as GET requests. There will be a straight file hash lookup and deep file scan of the database.
Keep an eye on these 2 repositories for details in the months ahead. And importantly, please reach out, ask questions and contribute.