Open blitz opened 2 weeks ago
nikstur
commented
2 weeks ago There's no official PURL spec yet for Nix. However, there is a draft PR open: https://github.com/package-url/purl-spec/pull/314
Not super clear to me, how to use this for vulnerability analysis.
Happy to change the PURL if there is a good proposal.
See also how syft creates Nix PURLS: https://github.com/anchore/syft/pull/1696
0xf09f95b4
commented
2 weeks ago 
blitz
commented
2 days ago For a more short-term solution for vulnerability-scan-compatibility, would it be possible to "guess" CPEs instead, similar to how sbombix does it?
Correct CPEs would help, but sbomnix generates wrong CPEs. For glibc it generates cpe:2.3:a:glibc:glibc:2.39-52:*:*:*:*:*:*:* while actual CVEs are filed under cpe:2.3:a:gnu:glibc:2.37:*:*:*:*:*:*:* (note glibc vs gnu). Manually adding the correct CPE makes DependencyTrack find vulnerabilities, though.
I'm not sure whether the CPEs can be autogenerated, but adding the relevant fields to the meta attributes of derivations could be feasible.
Bombon generates Package URLs, such as these:
As far as I can see, there is no CVE data source for these PURLs. Is there any advice on how to handle these for vulnerability analysis?