You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now this works only for checkers/parsers. Maybe moving find_vendor_from_purl to the CVEDB where it's accessible for the Parser and the SBOM manager.
Why?
To avoid false-positives in case there is no CPE available, just a package url.
Environment context (optional)
I am using cve-bin-tool version 3.4 from pypi with python3.11 on linux
I am using the cvedb and cvescan with custom sources and with a modified scanner which adds the results automatically to the input sbom (cyclonedx) with some extra information.
Yes, you're absolutely right that we should be doing this. We'd talked a bunch about how we wanted it to work during the gsoc design phase but there was so much else for the gsoc contributors to do that this never made it in. In our last meeting, @anthonyharrison mentioned we've also got things to do to improve support for purls in OSV data as well as the CPEs, but I don't think the fixes there would change the architecture needed here.
I'm probably not going to get time to work on it this month (at this rate I'm going to spend all my allotted cve-bin-tool time chasing down recalcitrant CI systems in December and it wouldn't be the first time) so if anyone's interested in doing development on this, that would be fantastic!
Description
It would be cool to identify the vendor based on the package url for SBOM inputs:
cve-bin-tool/cve_bin_tool/sbom_manager/parse.py
Lines 407 to 414 in 7cbac8f
Right now this works only for checkers/parsers. Maybe moving
find_vendor_from_purl
to the CVEDB where it's accessible for the Parser and the SBOM manager.Why?
To avoid false-positives in case there is no CPE available, just a package url.
Environment context (optional)
Anything else?
Something like that:
The text was updated successfully, but these errors were encountered: