dependency-track
dependency-track copied to clipboard
DependencyTrack
New Repositories are required: Github and Sourceforge
Many of FOSS SW components we are using for your internal services are placed on Github and Sourceforge repositories. In accordance with Standards we have to look for ALL known vulnerabilities.
Current Behavior:
To look for CVE vulnerabilities for FOSS on Github and Sourceforge we use almost registered/available CPE strings. But many of FOSS there may not have registered CPE and may have GHSA only.
Java, Python, etc. applications and libraries are placed on repositories like Maven, Pypi, etc. These repositories are available in the DT and SonatypeOSS ecosystems
But apps and libraries we using are written in C/C++ and placed almost on Github and Sourceforge repositories. Unfortunately, Github and Sourcefoge repositories are not present in the ecosystems. So we are currently limited to use CPEs and CVEs
Proposed Behavior:
It is necessary to add Github and Sourceforge repositories as repositories in order to look for GHSAs and actuality of Component's PURLs:
- pkg:github/protobuf/[email protected]
- pkg:sourceforge/bzip2/[email protected]
