Notes from 3.3.1 roadmap/planning meeting

[terriko]

3.3.1 plans:

• evaluate some of the NVD overlay / extra meta data /alternative data sources and see which ones should be integrated
  • NVD is currently very backlogged and it's getting worse due to funding cuts. etc. They've announced plans for an NVD Consortium to get a wider industry group to help resolve this but it's very likely we'll be using some additional data sources for some time before they're back up to speed.
  • Edited to add issue link: #4100
• CWE support
  • these are already available in NVD, but we'd need to actually have options to display them, possibly filter/group on them.
• Other meta data?
• OSV & de-dupe of data -- some of our data sources may not be playing well together
• SPDX 3 is out, library may be able to support it soon but it's very different -- not sure how many people will want to support it at this stage, will likely keep current default for some time
• CycloneDX 1.6 is a less radical change
• more binary reverse engineering tools? improve accuracy
• provide a no-scan mode for SBOM generation without any scanning (no download of data, etc.) -- this is being used by embedded folk and we could make the process nicer for them.
  • Edit: issue filed: #4110
• take a look at flags/options in cve-bin-tool, do we need to streamline/reduce/add?
• improve any workflows? usability? Edit: Started discussion in #4087

Feel free to use this issue to continue to discuss things that might fit in 3.3.1

[terriko]

I'm also starting to flag a lot of issues as 3.3.1, here's the link for that:

https://github.com/intel/cve-bin-tool/milestone/11

I'm particularly interested in making sure I track smaller post-3.3 bugs to make sure they're resolved in 3.3.1, but there's also some features and bigger stuff in there at this time. If you see something that you think should be tagged as 3.3.1, you can mention it here or directly on the relevant issue to let me know!

[terriko]

Okay, I think the parts of this we're going to work on have either been done or have appropriate issues filed and this discussion issue can be closed now.