anthonyharrison

I have just looked at the code in cli.py and if the epss_probability or percentile is out of range, a default value of 0 is assumed (which is OK if...

@terriko I think the changes made to the SBOM parsing in `sbom_manager/parse.py` and the changes due to #4178 in which Purl references are priortised over CPE references should be sufficient...

@mastersans @terriko it is a bug but appears to be limited to SPDX SBOMs in JSON format only.

@alext-w The issue with two GCC versions not been detected in the binary is a cve-bin-tool issue and not a lib4sbom library problem. I think a separate issue for this...

@terriko Generating SBOMs from binaries is a very useful feature and not found in many other OSS products. However I wonder whether we need to start thinking about a bit...

@prabhu This looks an interesting approach but represents a very different technique to the current approach implemented by the tool (using string based checkers). Would be interested in seeing examples...

@terriko Scanning a group of SBOMs would be interesting. However, I think we would need to ensure that we track a vulnerability to the relevant SBOM otherwise it become difficult...

#2685 also suggests using purl to improve product management. Note there is not a 1-1 mapping of cpe to purl (or vice versa!). so there will need to be some...

Having spent a bit more time looking at this, I think this is an awesome idea. I note that there is a utility which loads the data into an sqllite...

@terriko I have played with quite a lot of the open source container SBOM generation tools and they all seem to have their quirks and use the SBOM parameters in...