search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.23k stars 463 forks source link

Improve SBOM Product Management #2685

Open anthonyharrison opened 1 year ago

anthonyharrison commented 1 year ago

SBOMs can specify a product in a number of different ways. For example, a SBOM can include a product as a Name, a CPE or a PURL (and possibly all three!). Whilst the quality of SBOMs is variable (and in some cases inconsistent) extending the mechanisms beyond a name should increase the reliability of the SBOM scanning and reduce false reports as CPE and/or PURL can include vendor information as well.

If a PURL record is used, there is also the possibility of interogating an ecosystem to get more accurante product information.

This task will also require changes to the SBOM parsing routines to use external libraries e.g. SPDX Python Tools

Possibly add to GSOC task?

anthonyharrison commented 1 year ago

This may be of relevance.

terriko commented 1 year ago

Darn, I was hoping that they were proposing infrastructure fixes. But better namespaces are good too.

terriko commented 1 year ago

This didn't wind up worked explicitly into any gsoc applications this year. We already have Name support so I'm going to open two separate issues and initially invite the hackathon folk to work on them this week: