You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Often, there is no 1:1 match between a component.purl and a vulnerability.affects.ref. Different tools use different techniques to generate aliases to attempt to match a given component (group + name + version) against a vulnerability (group + name + version ranges).
By explicitly specifying a affects.matched_by, the alias(es) that resulted in the match could be shared with the consumer tools.
Assume, the purl of a package is pkg:npm/foo/bar@1.0.0. The vulnerability database has the entry foo_project : bar-library : <2.0.0
affects.matched_by would be ["foo_project : bar-library : <2.0.0"] to inform the consumer tools that the result was obtained with a fuzzy match (by creating variations of the group and name attributes). Without this attribute, the tools currently assume that every single vulnerability was obtained with a precision purl based match, which need not be the case.
The text was updated successfully, but these errors were encountered:
Often, there is no 1:1 match between a component.purl and a vulnerability.affects.ref. Different tools use different techniques to generate aliases to attempt to match a given component (group + name + version) against a vulnerability (group + name + version ranges).
By explicitly specifying a
affects.matched_by
, the alias(es) that resulted in the match could be shared with the consumer tools.https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_affects_items_ref
Example:
Assume, the purl of a package is pkg:npm/foo/bar@1.0.0. The vulnerability database has the entry foo_project : bar-library : <2.0.0
affects.matched_by would be
["foo_project : bar-library : <2.0.0"]
to inform the consumer tools that the result was obtained with a fuzzy match (by creating variations of the group and name attributes). Without this attribute, the tools currently assume that every single vulnerability was obtained with a precision purl based match, which need not be the case.The text was updated successfully, but these errors were encountered: