Zach Hill

It would be helpful to have the "expected" and "observed" metadata (uid, guid, mode, checksums) for the files so that a user can determine if the pkgdb entry matches the...

I think we should distinguish between .NET/CLR support and NuGet support. A NuGet cataloger should look at the `*.nuspec`' file: https://docs.microsoft.com/en-us/nuget/reference/nuspec and as you mentioned the `*.deps.json` to get information...

That is inline with the current anchore engine behavior, which can only add new entries to the list, not modify an existing entry.

The current generation logic generates: `cpe:2.3:a:*:redis::*:*:*:*:node.js:*:*`, so that should catch this vulnerability in the downstream use in Grype. It's the other generated CPEs that don't include the "node.js" target_sw field...

Looking at the current code, I don't think we have anywhere to add vendor mappings, the are only in the product side. It seems like there are 2 paths possible:...

Hi @rmoriz, First, thanks for the great issue report and detail to help reproduce. I appreciate the time you took to put that together. The issue was a recently introduced...

Follow up for @rmoriz: We've pushed an update into the feeds themselves that will remove the need for you to do the CVE flush, so you should now just be...

We use the Debian feeds for severity, so in this case its up to the Debian maintainers to decide to use CVSS2 or CVSS3, and they have it marked as...

@nightfurys is this blocked by anything?

@hariramb is there a specific public image you're looking at or are these your own images? I'm looking at the cern/slc6-base:latest. Is that similar to what you're using or do...