[VEX|VDR] add known vulnerabilities from packagist.org to the SBoM result #146
jkowalleck
started this conversation in
Ideas
Replies: 3 comments
-
|
this request caused CycloneDX/cyclonedx-php-library#16 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
this feature was originally requested, since DependencyTrack/dependency-track#798 unfortunately, DependnecyTrack does not honor the known vulns from the schema extension |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
implementation details: DependencyTrack/dependency-track#798 (comment) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
CDX sbom knows vulnerabilities via
packagist.org - composer's primary source - has an API to list known vulnerabilities per package.
see the docs: https://packagist.org/apidoc#list-security-advisories
implementation detail: the API might have a special handling for leading
vin versions - or a special format for version-constraints(which might be handle-able by composers internal version-constraint-library)summary of feedback/ ideas:
if fetching data from API fails, simply prompt an error on the increased "verbosity"-log-level and dont add any vulns to the SBom result
Beta Was this translation helpful? Give feedback.
All reactions