-
Dear @scanossdev
I hope this message finds you well. From ScanOSS, we are constantly reviewing open source code and noticed the use of language that could be considered vulgar or inappropriate on on…
-
### Description
It would be very useful to generate SBOM with purl entries through [purl2cpe](https://github.com/scanoss/purl2cpe) which is licensed under MIT. My basic idea would be to fill purl e…
-
It's great that https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=577559548 exists. It'd be helpful for cross-referencing if the purls of each of these were …
-
While @pombredanne and I were reviewing the VCIO UI, it became clear that some of the data displayed in the `Fixed by packages` tab of the `Vulnerability details` page -- and thus the data in the DB -…
-
It appears we are missing an important part of the PURL spec, `type`, as can be seen below.
![image](https://github.com/SoftwareDesignLab/nvip-crawler/assets/60295839/cf2cebca-46d9-44ef-bf9e-f688e38c…
-
Both CPE and PURL are open 'standards' of sorts. On the surface, it appears that OSS Index does some internal mappings between PURL and CPE via a one-way reference. This is likely simplistic to what a…
-
SCANOSS has a GRPC Vulnerability API which supports querying by package url (PURL) and including code repository package url. This makes it a very useful provider for C/C++ projects who know which OSS…
-
There is no dedicated source of data for Maven/Java package vulnerabilities. We should ensure that we can surface that data from our other sources with proper package URLs.
-
@djschleen @juliojimenez This may be of interest to you guys: I have just launched https://public.vulnerablecode.io/
VulnerableCode is an open source vulnerability database (code at https://github.…
-
Earlier a few of our tests were failing because the cache didn't have the purl2cpe database. I expect this may also happen to users who run the test suite for the first time, and since the purl2cpe da…