Open flemminglau opened 1 year ago
I strongly believe that a CVE that has been rejected should NOT be removed from OSS Index... but the system needs to support reflecting that the CVE has been rejected. And that might mean that additions to the API are needed.
Keeping the CVE but providing such status information allows downstream consumers to maintain accurate audit trails... and for their consumers to do the same. ie, there is a an impact on VEX , etc. And this might have regulatory compliance angles (eg if/when CRA comes into effect in the European Union).
Basically, it is important that an advisory should not just "poof" from the system.
Oh, and on a side note... OSS Index data should also be able to reflect that a CVE is disputed.
Hi!
The majority of these have been removed from OSS Index. I have raised an internal ticket on the ones that do not appear to have been dealt with yet.
I have been working on our roadmap for this year, and I do like the suggestion about tracking issues that have been removed from NVD. I am adding the story to our board, though I cannot be certain when this change will happen.
For the record, we are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users.
As such, if you notice further issues or would like to follow up on this one, please email ossindex@sonatype.org
CVE-2022-40154 CVE-2022-40155 CVE-2022-40156 CVE-2022-41852 CVE-2022-40157 CVE-2022-40158 CVE-2022-40161 CVE-2022-41946