Open prabhu opened 1 month ago
Agreed that this is an issue. I've seen this a lot by smaller startups and open source projects, both of which typically do not have their own data science teams. These teams usually take the mess that is CPE, and target the CVEs more accurately than what CPE can natively do. This is especially common with tools that scan libraries and container images.
The approach taken by these tools is essentially "spray and pray". If you cast a wide enough net, you're bound to catch something. But as you say, these are generally pulled from thin air, or in some cases, are designed as a workaround to the data issues present in the NVD.
While this would be a breaking change, I think one approach we can do in the meantime is to work with the offending tool authors and have them voluntarily add this data.
We are seeing SBOM tools that are making up CPE and purl identifiers without offering evidence for identity. This is causing frustration, delays, and lack of trust in the tool and the process. Making the identity mandatory could help filter components with low confidence detection techniques.