Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for specifying how a vulnerability was matched against a component #460

Open
prabhu opened this issue May 8, 2024 · 0 comments
Open

Comments

@prabhu
Copy link
Contributor

prabhu commented May 8, 2024

Often, there is no 1:1 match between a component.purl and a vulnerability.affects.ref. Different tools use different techniques to generate aliases to attempt to match a given component (group + name + version) against a vulnerability (group + name + version ranges).

By explicitly specifying a affects.matched_by, the alias(es) that resulted in the match could be shared with the consumer tools.

https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_affects_items_ref

Example:

Assume, the purl of a package is pkg:npm/foo/bar@1.0.0. The vulnerability database has the entry foo_project : bar-library : <2.0.0

affects.matched_by would be ["foo_project : bar-library : <2.0.0"] to inform the consumer tools that the result was obtained with a fuzzy match (by creating variations of the group and name attributes). Without this attribute, the tools currently assume that every single vulnerability was obtained with a precision purl based match, which need not be the case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant