Niklas

icon indicating an email [email protected]

icon location Kiel, Germany icon location "I have no idea why this works. You better don't touch it."

Results 833 comments of Niklas

Migrate from NVD data feeds to NVD API 2.0

Yes, kind of. We are planning to implement support for the new API as opt-in feature, while still keeping the legacy feed functionality around as default mechanism. Because the API...

Migrate from NVD data feeds to NVD API 2.0

As raised in Slack, implementation of this should involve updating the documentation as well: https://owasp.slack.com/archives/C6R3R32H4/p1697628231823949

system wide vulnerability management

IMO for use-cases like this one (and many others, like policies) we need something like [OPA](https://www.openpolicyagent.org/). Some form of lightweight, sandboxed script or DSL. Otherwise we'll end up in configuration-/input-field-hell....

system wide vulnerability management

Hey all, we're currently looking into this and have put some documentation down here: https://github.com/DependencyTrack/hyades/issues/930 High-level overview: * Use [CEL expressions](https://dependencytrack.github.io/hyades/0.2.0/usage/policy-compliance/expressions/) instead of RegEx / PURL equality to match with...

Last repository tag picked over first reachable when determining version

Hi, this is indeed custom logic on cdx-gomod's side. However, it will (should) only pick the tag when the current `HEAD` commit is tagged. So if the current `HEAD` is...

No Author information in SBOM

Not as of now, but we can easily add this capability. Is there any preferred way of providing this information, considering that potentially multiple authors would need to be added?

Documention: Hierarchical merge metadata requirement

"Subject" just refers to the [`metadata.component`](https://cyclonedx.org/docs/1.4/json/#metadata_component) element of the BOM. `metadata.component` should be populated by every SBOM generator per default. It will have the details of the project you generated...

Components - Sort Vulnerabilities by Severity

Pre v4.11, this was not possible to do since the severity was not stored in the database (https://github.com/DependencyTrack/dependency-track/issues/2474). This has changed as of v4.11, so the enhancement is now unblocked.

Using the gh-gomod-generate-sbom action, fails when execution the "Cheap trick" gocmd.ModWhy call

Is it possible to provide some kind of minimal reproducer for this? I have not been able to replicate this so far. Generally, if a project depends on private modules,...

Using the gh-gomod-generate-sbom action, fails when execution the "Cheap trick" gocmd.ModWhy call

Thanks for the input @bcordobaq. I ran the `go mod why` command from within the container, and I got this error: ``` failed to initialize build cache at /.cache/go-build: mkdir...