specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

Support for specifying how a vulnerability was matched against a component

Open prabhu opened this issue 1 year ago • 0 comments

Often, there is no 1:1 match between a component.purl and a vulnerability.affects.ref. Different tools use different techniques to generate aliases to attempt to match a given component (group + name + version) against a vulnerability (group + name + version ranges).

By explicitly specifying a affects.matched_by, the alias(es) that resulted in the match could be shared with the consumer tools.

https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_affects_items_ref

Example:

Assume, the purl of a package is pkg:npm/foo/[email protected]. The vulnerability database has the entry foo_project : bar-library : <2.0.0

affects.matched_by would be ["foo_project : bar-library : <2.0.0"] to inform the consumer tools that the result was obtained with a fuzzy match (by creating variations of the group and name attributes). Without this attribute, the tools currently assume that every single vulnerability was obtained with a precision purl based match, which need not be the case.

prabhu avatar May 08 '24 12:05 prabhu