stevespringett
commented
2 years ago Duplicate of #96
Closed italvi closed 2 years ago
stevespringett
commented
2 years ago Duplicate of #96
italvi
commented
2 years ago So I am forced to downgrade to an earlier version and then include there vulnerabilities only manually? Using the REST-API does not work. The vulnerability gets created but even though I provide a purl and cpe in the "vulnerableSoftware" field it will not get mapped to a component having the purl/cpe.
stevespringett
commented
2 years ago It's not complete yet - still beta. There's still a lot of work to do to get the feature properly added.
italvi
commented
2 years ago Too bad, we have a very large database with vulnerabilities from many different sources and therefore need a way for automatically add vulnerabilities depending on their PURL and CPE. I thought it would be possible with the REST-API. Unfortunately, we have to look out for an alternative now which meets this requirements. Thanks for the great effort you put into dependency-track. It really looked promising and I was looking forward to use it.
github-actions[bot]
commented
2 years ago This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior:
NVD and VulnDB are implemented as Databases for Vulnerabilities. Manual vulnerabilities can be added via API but only for a component in one project (as component AND project ID is required) and not for a component in general.
Proposed Behavior:
It should be possible to include own integrations of vulnerability Databases to enrich the internal Database and assign the vulnerabilities via PURL and CPE for a component in general.