search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.7k stars 578 forks source link

Fetch SLES Linux security patching information #3446

Open ghost opened 9 months ago

ghost commented 9 months ago

Current Behavior

Some of our products are based on SLES Linux (SUSE Linux Enterprise Server) and we have tried to use DependencyTrack for creating the SBOM and vulnerability analysis. However, we have noticed that these tools do not consider the SLES security patches, thus reporting false positive vulnerabilities that have been already fixed by SLES security patches.

Proposed Behavior

Introduce support for fetching SLES Linux security patching information into DependencyTrack.

Checklist

nscuro commented 9 months ago

Although not a 100% solution, I think the Trivy analyzer support (https://github.com/DependencyTrack/dependency-track/issues/3251) may help here.