John Vandenberg
John Vandenberg
c.f. https://osv.dev/vulnerability/RUSTSEC-2024-0421
**Describe the bug** https://github.com/blst-security/cherrybomb/blob/c37520abfe7abb8409596c205abb3ddf83d3554b/cherrybomb-engine/src/scan/passive/additions_checks.rs#L168-L193 only allows u16 and "default" https://swagger.io/docs/specification/v3_0/describing-responses/ allows ranges like "4XX"
**What happened**: On mac, install an app using brew e.g. `brew install slack` , then run syft on the .app, which is a directory. It finds a bunch of executables,...
**What would you like to be added**: .msi files are very common way to distribute applications on Windows. https://en.wikipedia.org/wiki/Windows_Installer provides an overview of this format. It is part of offical...
**What happened**: Here are examples of a NVD entry with a CPE which I guess not match what syft produces https://nvd.nist.gov/vuln/detail/CVE-2023-39951 uses `cpe:2.3:a:linuxfoundation:opentelemetry_instrumentation_for_java:*:*:*:*:*:*:*:*` This is in https://github.com/open-telemetry/opentelemetry-java-instrumentation https://nvd.nist.gov/vuln/detail/CVE-2023-25151 uses `cpe:2.3:a:linuxfoundation:opentelemetry-go_contrib:0.38.0:*:*:*:*:opentelemetry-go:*:*`...
**What happened**: When I use syft on binaries built with cargo-auditable, the CPEs always have a `language` = `*`. When I use syft on the Cargo.lock or binaries built with...
If I understand correctly from https://github.com/anchore/syft/issues/2348 and https://github.com/anchore/syft/pull/3371 , depDeps are excluded when using package-lock.json . However for pnpm lock files,, I am seeing dev deps output in the SBOM...
https://crates.io/crates/serde_yaml latest version is "v0.9.34+deprecated" - uploaded March 2024 Repo https://github.com/dtolnay/serde-yaml was also archived. Forks: - ~~https://github.com/sebastienrousseau/serde_yml/commits/master/ - 110 commits - uses https://crates.io/crates/libyml instead of also unmaintained `unsafe-libyaml`~~ (see https://github.com/rustsec/advisory-db/issues/2212)...
https://crates.io/crates/custom_derive is unmaintained. Last release was Nov 2016. It seems fairly clear that maintainer Daniel Keep would not object to it being declared as unmaintained. The crate description include >...
### Pre-flight checklist - [x] I have read the [contribution documentation](https://github.com/electron/forge/blob/main/CONTRIBUTING.md) for this project. - [x] I agree to follow the [code of conduct](https://github.com/electron/electron/blob/main/CODE_OF_CONDUCT.md) that this project uses. - [x]...