msymons
commented
1 year ago @JN-CSIRT, this issue does seem to duplicate #1825. Or at least the GitHub part. Can you please update with a comment to explain why it is not a duplicate. Or, if it is... perhaps just update Summary and Description here so that it just covers Sourceforge. That way we can track Github and Sourceforge repository support separately.
Many of FOSS SW components we are using for your internal services are placed on Github and Sourceforge repositories. In accordance with Standards we have to look for ALL known vulnerabilities.
Current Behavior:
To look for CVE vulnerabilities for FOSS on Github and Sourceforge we use almost registered/available CPE strings. But many of FOSS there may not have registered CPE and may have GHSA only.
Java, Python, etc. applications and libraries are placed on repositories like Maven, Pypi, etc. These repositories are available in the DT and SonatypeOSS ecosystems
But apps and libraries we using are written in C/C++ and placed almost on Github and Sourceforge repositories. Unfortunately, Github and Sourcefoge repositories are not present in the ecosystems. So we are currently limited to use CPEs and CVEs
Proposed Behavior:
It is necessary to add Github and Sourceforge repositories as repositories in order to look for GHSAs and actuality of Component's PURLs: