Consider enabling the dotnet-deps-cataloger by default for images and show the relationship to artifacts discovered by the dotnet-portable-executable-cataloger. This is important because the portable executable metadata often doesn't contain enough information to understand which actual nuget package a portable executable belongs to , and currently the vulnerability data is only available for the nuget package name and version.
Why is this needed:
To properly match to potential vulnerabilities using grype. https://github.com/anchore/grype/issues/1693 is a specific example which demonstrates the current issues with solely relying on the data from the dotnet-portable-executable-cataloger for image scans
I know this came up before -- but if this is logically one package should we attempt to portray that on one package instead of associating two packages?
What would you like to be added:
Consider enabling the
dotnet-deps-cataloger
by default for images and show the relationship to artifacts discovered by thedotnet-portable-executable-cataloger
. This is important because the portable executable metadata often doesn't contain enough information to understand which actual nuget package a portable executable belongs to , and currently the vulnerability data is only available for the nuget package name and version.Why is this needed: To properly match to potential vulnerabilities using grype. https://github.com/anchore/grype/issues/1693 is a specific example which demonstrates the current issues with solely relying on the data from the
dotnet-portable-executable-cataloger
for image scans