found-it
commented
1 year ago I think this would be useful. Since CVE's are continuously changing an aggregate number isn't granular enough to track things like an SLA. If the goal is 0 CVE's then it's granular enough because the target is 0, but if the goal is to remediate specific CVE's within a certain time period then the data needs to be more granular.
The data could also be used to track things like MTTR (mean-time-to-remediation) for CVE's if we wanted to publish a number like that.
Not sure how hard it would be, but in the rumble UI it would be cool to have an aggregate number and then hovering over it shows each specific CVE and the duration since it was discovered
This would enable calculating such metrics as time from a CVE first being introduced to a particular image to the the time when that same image first publishes a version without that CVE. This could be one part of Chainguard image CVE remediation metrics,