[VEX|VDR] add known vulnerabilities from packagist.org to the SBoM result #146
jkowalleck
started this conversation in
Ideas
Replies: 3 comments
-
|
this request caused CycloneDX/cyclonedx-php-library#16 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
this feature was originally requested, since DependencyTrack/dependency-track#798 unfortunately, DependnecyTrack does not honor the known vulns from the schema extension |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
implementation details: DependencyTrack/dependency-track#798 (comment) |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
CDX sbom knows vulnerabilities via
packagist.org - composer's primary source - has an API to list known vulnerabilities per package.
see the docs: https://packagist.org/apidoc#list-security-advisories
implementation detail: the API might have a special handling for leading
vin versions - or a special format for version-constraints(which might be handle-able by composers internal version-constraint-library)summary of feedback/ ideas:
if fetching data from API fails, simply prompt an error on the increased "verbosity"-log-level and dont add any vulns to the SBom result
Beta Was this translation helpful? Give feedback.
All reactions