OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
Often, there is no 1:1 match between a component.purl and a vulnerability.affects.ref. Different tools use different techniques to generate aliases to attempt to match a given component (group + name + version) against a vulnerability (group + name + version ranges).
By explicitly specifying a affects.matched_by, the alias(es) that resulted in the match could be shared with the consumer tools.
Assume, the purl of a package is pkg:npm/foo/bar@1.0.0. The vulnerability database has the entry foo_project : bar-library : <2.0.0
affects.matched_by would be ["foo_project : bar-library : <2.0.0"] to inform the consumer tools that the result was obtained with a fuzzy match (by creating variations of the group and name attributes). Without this attribute, the tools currently assume that every single vulnerability was obtained with a precision purl based match, which need not be the case.
Often, there is no 1:1 match between a component.purl and a vulnerability.affects.ref. Different tools use different techniques to generate aliases to attempt to match a given component (group + name + version) against a vulnerability (group + name + version ranges).
By explicitly specifying a
affects.matched_by
, the alias(es) that resulted in the match could be shared with the consumer tools.https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_affects_items_ref
Example:
Assume, the purl of a package is pkg:npm/foo/bar@1.0.0. The vulnerability database has the entry foo_project : bar-library : <2.0.0
affects.matched_by would be
["foo_project : bar-library : <2.0.0"]
to inform the consumer tools that the result was obtained with a fuzzy match (by creating variations of the group and name attributes). Without this attribute, the tools currently assume that every single vulnerability was obtained with a precision purl based match, which need not be the case.