search

DependencyTrack / hyades

Incubating project for decoupling responsibilities from Dependency-Track's monolithic API server into separate, scalable services.
https://dependencytrack.github.io/hyades/latest
Apache License 2.0
52 stars 17 forks source link

Use official CNA names to identify vulnerability sources #1297

Open nscuro opened 1 month ago

nscuro commented 1 month ago

Current Behavior

Currently, vulnerability sources are identified based on the Vulnerability.Source enum.

Proposed Behavior

It would be better to use official CNA names instead, where applicable:

https://www.cve.org/PartnerInformation/ListofPartners

As identified in https://github.com/DependencyTrack/hyades/issues/1295, GITHUB should ideally be either GitHub_P or GitHub_M.

Checklist

sahibamittal commented 2 weeks ago

Needs more research and clarification. CNA partner list does not include the sources clearly and the hardcoded list in the script is missing some of names like ossindex, retire.js, npm etc.