-
### govulncheck version
```
govulncheck -version
Go: go1.22.4
Scanner: govulncheck@v1.1.2
DB: https://vuln.go.dev
DB updated: 2024-06-20 18:18:26 +0000 UTC
```
### Does this issue reproduc…
-
## Description
I would like to open a discussion regarding the file path convention for storing OpenVEX files within a Git repository. In the example of [Cilium](https://github.com/cilium/cilium/blob…
-
## WHAT
As part of #95 we have now setup `govulncheck` to run on each PR and periodically on master + stable release branches as part of `verify` jobs.
`govulncheck` has now added support for ope…
-
when a project generates VEX feed for vulnerabilities that are not exploitable, SECURITY_INSIGHTS.yml is an ideal place to capture this information. The work around is to add VEX statement informatio…
-
Hello,
I have a few questions and requests for clarification regarding some fields in an OpenVEX document, given the spec provided:
- What should be the `@id` field in the document’s metadata? C…
-
#4164 added a second cpe-decoding function which is basically the same as the one found in the sbom code. We should refactor things so we don't have duplicated code. Probably the best thing to do is…
-
OCI has done a fair bit of work on defining a new referrers API that is used to associate metadata like SBOMs, signatures, and VEX to container images. The key piece of data needed to lookup that meta…
-
Using the publis-release action with its defaults fails when building the SBOM inventory:
```
level=info msg="Adding file . to SBOM"
level=fatal msg="generating sbom: adding to SBOM: file does n…
-
The specification is a good human readable document, but it's not machine readable.
It would be useful to have a standalone schema (for instance in JSON Schema) for the specification. This would:
…
-
In order to support exchanging information about known security vulnerabilities for a project
an _ORT_ reporter shall be implemented which creates a _VEX_ document according to the _Open VEX_ specifi…