Will Murphy
Will Murphy
Hi @msmeissn thanks very much for the PR! In order to merge this, we'll also need to improve Vunnel's parsing of the SUSE OVAL XML. Specifically, because the Vunnel provider...
Note for next steps: This results in a fair number of new findings, so the next step is to label some vulnerabilities in vulnerability match labels, e.g.: ``` TOOL PARTITION...
@msmeissn I have some questions here: On a vulnerability listing like https://www.suse.com/security/cve/CVE-2019-20838.html, in the table "Status of this issue by product and package", I see that SUSE Linux Enterprise Server...
Thanks @msmeissn - I was not aware that SUSE vulnerability feed was available in CSAF.
I'm marking this as "awaiting response" since it looks like we are waiting for @douglasclarke to respond to @wagoodman 's comment on https://github.com/douglasclarke/syft/pull/7.
Hi @dfandrich, > The data displayed for Mageia vulnerabilities at osv.dev contains all the data of the canonical source, so pulling it from there should be viable. Could you point...
This was discussed at our [Apr 24 livestream](https://anchorecommunity.discourse.group/t/april-24th-open-source-gardening-live-stream/410?u=willmurphy), so if you'd rather hear us talk about it live head on over there. And please share your ideas! I think this...
In its current form, this is not the change suggested at https://github.com/anchore/vunnel/pull/863#issuecomment-3461817801 . https://github.com/anchore/grype-db/pull/686/files#diff-af698832ba49e27cd15a534e0c885e607ec0eb94a07cd2165f03f09a2265bcbeR61-R70 has an example. To re-iterate: 1. Vunnel should emit records that mean "rootio has published a...
Since the vunnel NVD provider only runs on changed records, a more reliable / easier place to fix is probably deduplicating in grype-db. Will put up a PR there and...
Closing in favor of https://github.com/anchore/grype-db/pull/744 which does the same thing in grype-db, which is a better point for that since, due to caching and other optimizations, vunnel only touches the...