Arnout Engelen
Arnout Engelen
Repology records CPE bindings (https://repology.org/security/recent-cpes), which could for example tell us that CVE-2015-1773 should be associated with `apache-flex-sdk` instead of with the `flex` lexer generator
Possible ideas to improve local tool performance include: * #118 * #117 * #132 * #131
Instead of placing it on disk as 231006 files, we might want to cache a 'processed' blob in a single file. This might be faster to ingest. Format could range...
When we cache the results of webservice calls per advisory id, if in subsequent runs we don't encounter new advisories we could skip the call to the ws entirely.
Seems like a mostly invalid report, let's try and use #32 for that when the online tool is deployed
apparently the pname matching is incorrectly also looking at 'running on/with' CPE of https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0190
Running the local scanner on the testcase at https://github.com/Nix-Security-WG/nix-security-tracker/tree/c35f957fc02b101ee06eb5096d7f05cd87e539d73be45b19d4b97520173c48defa4c6747156d6dcf, it reports [CVE-2021-26720](https://www.cve.org/CVERecord?id=CVE-2021-26720) in avahi. This issue only affects Debian (and SUSE), which is not possible to see from the advisory...
When the local vulnerability scan detects new vulnerabilities, the user should somehow be notified of this. One approach might be to use systemd's `OnFailure` option for this: the `OnFailure` could...
Cache the output of sbomnix somewhere in the cache directory, using the readlink'd derivation path as hash key. That way, when running the tool on the same system again, only...
Don't 'blindly' wait 8 seconds, but look at the responses which give information on whether you're rate limited