Script that generates a CSV report with matched CPE data (fron NVD) for all BOM components in a given Project Version
in Black Duck. The script leverages CVE records for BOM components and calls NVD's CVE API to fetch matched CPE
strings. If a given component-version in a BOM does not have a vulnerability record, then it look for other older
versions ( based on released data in ascending order) of the component to see if they have any vulnerabilities. Then
it loops through each version until it stumbles upon a component-version that has a CVE record and that returns a CPE
match from NVD. Currently, the script has a default search limit of 50 for other older versions of components to loop
through but it’s customizable using an argument (--other-comp-version-count) if you would like to either reduce or
expand the search base and get more CPE matches. As such, the script would take considerably longer time now to
execute
Script that generates a CSV report with matched CPE data (fron NVD) for all BOM components in a given Project Version in Black Duck. The script leverages CVE records for BOM components and calls NVD's CVE API to fetch matched CPE strings. If a given component-version in a BOM does not have a vulnerability record, then it look for other older versions ( based on released data in ascending order) of the component to see if they have any vulnerabilities. Then it loops through each version until it stumbles upon a component-version that has a CVE record and that returns a CPE match from NVD. Currently, the script has a default search limit of 50 for other older versions of components to loop through but it’s customizable using an argument (--other-comp-version-count) if you would like to either reduce or expand the search base and get more CPE matches. As such, the script would take considerably longer time now to execute