DmitriyLewen
DmitriyLewen
@wjunLu left notes. Take a look. please. Also use `go mod edit -replace github.com/aquasecurity/trivy-db=github.com/wjunLu/trivy-db@` + `go mod tidy` ( currently https://github.com/aquasecurity/trivy-db/pull/397/commits/21eae95a765ba5ee9f151b7ff73cab2da715592d) command and push into this PR. This is necessary...
Hello @wjunLu Sorry for the delay in reviewing. We are focused on fixing bugs, fixing `429` error in Trivy-db and other high priority tasks. Your PR is adding a new...
Hello @svrnwnsch https://github.com/aquasecurity/trivy/milestone/34
> It's intended now. NVD (and other vendors) frequently delays its analysis, while Red Hat usually assesses vulnerabilities quickly. Then, we used to have many vulnerabilities with the "unknown" severity....
We try to collect all common information in https://avd.aquasec.com (i will check why site doesn't contain RedHat severity). If you need more information about vulnerability - you can use `json`...
> Or return an error, like several versions found? I think this is bad idea. I think it's not their own binaries that users are scanning, so they can't update...
> How do they embed versions without using ldflags? Sorry, my brain isn't working well today. I checked installed in my PC binaries which were installed using `go install` command....
Just to confirm that I understood you correctly: 1) `github.com///cmd/*/*.version=x.x.x` format - format only: - `github.com/google/go-containerregistry/cmd/crane/any.Version=1.0.0` => `1.0.0`. - (cmd from non-root dir): `github.com/google/go-containerregistry/v1/cmd/crane/any.Version=1.0.0` => step 2 - format +...
I thought of the following logic: Package from `pom.properties` (when it matches jar name) or package from MANIFEST is main package, the remaining packages (nested jars, pom.properties with other names)...