varunkpedapati
commented
2 years ago Closing this as I have made some more changes. Will create new PR shortly
Closed varunkpedapati closed 2 years ago
varunkpedapati
commented
2 years ago Closing this as I have made some more changes. Will create new PR shortly
Script that generates a CSV report with matched CPE data (fron NVD) for all BOM components in a given Project Version in Black Duck. The script leverages CVE records for BOM components and calls NVD's CVE API to fetch matched CPE strings. If a given component-version in a BOM does not have a vulnerability record, then it look for other older versions ( based on released data in ascending order) of the component to see if they have any vulnerabilities. Then it loops through each version until it stumbles upon a component-version that has a CVE record and that returns a CPE match from NVD. Currently, the script has a default search limit of 50 for other older versions of components to loop through but it’s customizable using an argument (--other-comp-version-count) if you would like to either reduce or expand the search base and get more CPE matches. As such, the script would take considerably longer time now to execute