Nemo

Will reply soon with a detailed proposal for why I think this is important. I haven’t checked the scoping options yet. I see there’s no meeting on the 21st Thursday,...

I've looked at the scoping options, and the various feature requests for that, and that doesn't fit this use-case. An SBOM should be an actual artifact of all the components...

> What's your end Ideal state for syft in how it surfaces base images A PURL that points to the correct base image. While #2294 is great, those are not...

Thanks a lot for the advisory, this is helpful. I think the questions raised in this issue have been well answered now, so we can close this now.

How should package-maintainers get credited? `remediation developer` ?

VMWare Photon OS advisories have a similar challenge: [PHSA-2022-0304](https://github.com/vmware/photon/wiki/Security-Update-4.0-304) is an advisory issued against 3 CVES: ['[CVE-2022-43552](https://nvd.nist.gov/vuln/detail/CVE-2022-43552)', '[CVE-2022-4415](https://nvd.nist.gov/vuln/detail/CVE-2022-4415)', '[CVE-2022-43551](https://nvd.nist.gov/vuln/detail/CVE-2022-43551)']. As such, the severity is on a per-package level: > ###...

The domain is now parked. @andreausu Any chance this might get fixed soon?

I like this change as I've faced similar issues with the hook.

I think there should be a static badge that always says "build-passing", irrespective of the last build status.

@spyoungtech Did you end up publishing this somewhere?