Open nscuro opened 1 month ago
Currently, vulnerability sources are identified based on the Vulnerability.Source enum.
Vulnerability.Source
It would be better to use official CNA names instead, where applicable:
https://www.cve.org/PartnerInformation/ListofPartners
As identified in https://github.com/DependencyTrack/hyades/issues/1295, GITHUB should ideally be either GitHub_P or GitHub_M.
GITHUB
GitHub_P
GitHub_M
Needs more research and clarification. CNA partner list does not include the sources clearly and the hardcoded list in the script is missing some of names like ossindex, retire.js, npm etc.
Current Behavior
Currently, vulnerability sources are identified based on the
Vulnerability.Source
enum.Proposed Behavior
It would be better to use official CNA names instead, where applicable:
https://www.cve.org/PartnerInformation/ListofPartners
As identified in https://github.com/DependencyTrack/hyades/issues/1295,
GITHUB
should ideally be eitherGitHub_P
orGitHub_M
.Checklist