ken-duck
commented
4 years ago Thanks for the suggestion. I am discussing the idea internally with folks.
Open stevespringett opened 4 years ago
ken-duck
commented
4 years ago Thanks for the suggestion. I am discussing the idea internally with folks.
ken-duck
commented
4 years ago The internal conversation is progressing.
lightoyou
commented
4 years ago At which step the conversation is ?
elanzini
commented
4 years ago Is there any update on this?
elanzini
commented
4 years ago If possible, it would also be of even greater value for the community Open Sourcing the mapping between CVEs and purls. I believe this information would be more precise compared to CPEs -> purls, where a single CPE can include different purls, especially in OSS.
juliancoccia
commented
1 year ago We have just posted this dataset (CPE <-> PURL) here: https://github.com/scanoss/purl2cpe
Both CPE and PURL are open 'standards' of sorts. On the surface, it appears that OSS Index does some internal mappings between PURL and CPE via a one-way reference. This is likely simplistic to what actually occurs, however, the spirit of this request is to be more transparent about what those mapping are. Ideally, the mapping between two open standards, should itself be open.
Currently, a whac-a-mole approach is used in spotting false negatives and positives. This usually occurs when an adopter of PURL and OSS Index identifies vulnerabilities that are not showing up in OSS Index but should be. This reactive approach isn't ideal. Publishing a mapping, the community would be able to collectively analyze the gaps and proactively create PRs that would correct any issues.
This enhancement request is NOT suggesting that OSS Index open source CVE corrections or vulnerabilities not found in the NVD. That information is proprietary. However, publishing mappings and allowing the community to collectively make it better, may be highly beneficial.