wg-risk icon indicating copy to clipboard operation
wg-risk copied to clipboard

Published 20 hours ago verified publisher icon chaoss

new metrics in risk-security

Open king-gao opened this issue 4 years ago • 3 comments

Toady more and more OSS is integrated from others OSS component. I see license conflict is already in license metrics section, In addition, vulnerabilities are one of the important indicators of security.

So , in this scenario ,can we metric the project vulnerabilities Complete and accurate. we can through SBOM to find the vulnerabilities from the OSS project be integrated,and check are every vulnerabilities is correct and public the vulnerabilities in commuty?

king-gao avatar Mar 26 '20 16:03 king-gao

Thanks @king-gao @sgoggins can give some insight on this. I think this is something that we can cover with Augur but not sure how robust it is at the moment.

germonprez avatar Mar 27 '20 11:03 germonprez

Thanks @king-gao @sgoggins can give some insight on this. I think this is something that we can cover with Augur but not sure how robust it is at the moment.

Maybe we can use SBOM(the project OSS lists),we can sum the total vulnerabilities and dif with the project vulnerabilities:)

king-gao avatar Mar 27 '20 11:03 king-gao

The challenge that I always run into with vulnerabilities is how to discover them. The NIST NVD is deep but determining CPEs to find the vulnerabilities always proves to be a challenge.

germonprez avatar Mar 27 '20 12:03 germonprez