witchcraze
witchcraze
Please let me share my experience. Maybe something will help you. In my organization, engineers install various of software with various method. Someone will use OS vendor's package. Someone will...
Yes, I agreed your discussion (https://github.com/endoflife-date/endoflife.date/discussions/365). But most teams use OS package in our organization, and only applying upstream EOL with running software versions was not effective. I felt this...
I forgot when, but ubuntu changed their Release wiki layout and "End of Life" difinition without Extended Security Maintenance. Current ubuntu's EOL seems end of Extended Security Maintenance. (but I...
Please let me report additional not listed cases. syft does not detect redis frmo 3/8 OS/ARCH of redis:latest. ``` $ syft -q --platform=linux/386 redis | grep redis $ $ syft...
Thank you for your confirmation. This is a report showing actual examples with widely-used software. There are no further nuances beyond this.
Thank you for your confirmation. Let me report my environment (WSL2). ``` $ cat /etc/os-release PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"...
Thank you for your confirmation. > Trying to see if I got it correctly: given a package database for OS packages you'd like Syft to determine or infer the provenance...
Thank you for your comment. I do not know detail, but that sounds good idea. I agree `filtered out` first, and It has possibility to providing proper scan for major...
Thank you for your understanding for first topic. Yes. I think so too. If `APT-Sources` is not debian, refference vulnerability dataset will not be debian's oval, but NVD. And I...
FYI Recently, I try to gather OS packages in major software. By matching with our data, I think I can judge installed packages are OS package or not. // I'll...