-
**Is your enhancement request related to a problem? Please describe.**
DejaCode allows to load packages associated with a product from an SBOM. A modern SBOM that fulfills requirements such as [BSI T…
-
### Problem Statement
As of Kyverno 1.11, we support conditions in every attestation entry. That is we cannot use the payload in one attestation and use it while verifying a different signed attest…
-
The documentation isn't clear on this, so I'd like to ask what the _merge-vex_ command is for.
The documentation simply states:
> This command requires two input files, a SBOM and a VEX file that …
-
e.g., https://github.com/CycloneDX/bom-examples/tree/master/VEX/Use-Cases/Case-4
For false positives like:
- https://github.com/kubernetes/kubernetes/pull/121338#issuecomment-1771341403
-
Hi
I am trying to ingest this sbom, https://raw.githubusercontent.com/CycloneDX/bom-examples/master/VEX/vex.json, which is an example from CycloneDX.
It identifies the format correctly, but duri…
-
You currently support Debian and Alpine.
More and more people are looking at switching to Wolfi (Chainguard). Last month `trivy` added support for Wolfi https://github.com/aquasecurity/trivy/pull/…
-
`#SecuritySlam`
**What would you like to be cleaned**:
From [CLOMonitor](https://clomonitor.io/projects/cncf/kueue#kueue_security):
```
Token-Permissions OpenSSF Scorecard check
Score: …
-
This issue is a place for discussion for the blog post on Intermediate VEX (https://osv.dev/blog/posts/automating-and-scaling-vex-generation/) on the osv.dev blog.
-
### Proposal Details
### Counter Names
govulncheck/level:{symbol, package, module}
govulncheck/mode:{source, binary, extract, query, convert}
govulncheck/format:{text, json, sarif, openvex}
g…
-
When using vuln with go v1.20.14 it fails to install because slices is not in the standard library. The vuln docs, and go.mod, claim to be compatible with go 1.18 and later.
https://github.com/osbu…