anthonyharrison
anthonyharrison
A few comments on the Package List processing which is performed by cve-bin-tool. Pinging @BreadGenie for initial comment. BUG If the distribution is not supported (e.g. Kali, Raspian) the error...
Given that there is now an option to scan a package list, it would be a useful enhancement to support the scanning of the list of software installed on a...
The example SPDX document in XML doesn't reference a schema and the schemas directory only contains a JSON schema. Does an XML schema exist for the XML format so that...
### Description The JSON file just contains the metadata associated with each CVE. There is nothing related to the date of the scan or the database which has been used...
The [reference](https://cyclonedx.org/docs/1.4/json/#vulnerabilities_items_affects_items_versions_items_range) in the JSON 1.4. documentation to the PURL vers is no longer correct. I am not sure if [PURL](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst) supports version ranges now.
The validation of the cpe23Type does not support strings such as `cpe:2.3:a:ahmed_h.:spdx-tools:0.8.3.dev1+g8050fd9c:*:*:*:*:*:*:*` The version string contains + `cpe:2.3:a:debian_gcc_maintainers:libstdc++6:12.2.0-9:*:*:*:*:*:*:*` The product name contains +. The cpe definition states a product name...
It would appear that vet currently only support the JSON format of SPDX and not the other formats e.g. tag value Update documentation to make this clear and if possible...
### Description There are now multiple data sources of vulnerabilities which can be used to assess components. Supporting more may provide more accurate reporting of vulnerabilities. ### Why? With the...
Tried on a Python repository and I get a runtime failure. panic: runtime error: slice bounds out of range [2:0] goroutine 1 [running]: github.com/advanced-security/gh-sbom/pkg/dependency-graph.makeQuery({0x7a1f08, 0xc000068440}, {0x7fffd27c522b, 0xf}, {0x7fffd27c523b, 0x4}, 0x0,...