search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.19k stars 455 forks source link

chore: add explanations to TRIAGE.vex #3996

Closed terriko closed 1 month ago

terriko commented 6 months ago

In #3969, @mastersans has added a TRIAGE.vex file. Right now it marks our false positives but doesn't give a whole lot of detail as to why these things are false positives. In most cases right now, it's detecting a library with the sane name that's clearly written in another language and is not the same package, but that's not inherently obvious on a per-CVE basis.

I'd like to add some human readable explanation to the file. I forget off the top of my head if it's comments or remarks and what part of the data structure it should go in, but there should be a way to do this.

mastersans commented 6 months ago

If anyone want to tackle this issue, you can ping me too if you need any help or if you got stuck somewhere.

terriko commented 1 month ago

Tagging @mastersans to look at this more -- we may need to switch to triage.json and fix some of the entries.