Open carlosthe19916 opened 1 month ago
The CVE will generally be very low value, and perhaps no include actual pURLs or CPEs, so difficult to link to thinks.
One step better would be the Netty project producing GHSAs or OSVs that give more/better details.
The RHT CSAF files purely give statuses within the context of the Red Hat product catalog.
So, ingesting a CSAF from Red Hat will tell you nothing of import about netty if you're using it in a vanilla Spring
app or such.
The user will need to ingest advisories relevant to their usage. If they use Quarkus, then our CSAFs. If they use something else, then they need some other advisories.
And generally, CVEs aren't the final answer, just a starting point that other people build advisories from.
Hi guys, this is not to report a bug but more a way of asking a question.
Context:
As a result if I hit
GET /api/v1/vulnerability/CVE-2024-29025
then I get a response that indicates that my sbom quarkus-bom-3.2.11.Final-redhat-00001.json has a statusnot_affected
and also a set ofpurls
that indicate which are the packagesfixed | not_affected
. Everything good here.Question:
Finally I hit
GET /api/v1/vulnerability/CVE-2024-29025
then I get the following response:The previous response indicates that there are zero sboms affected by the vulnerability.
Here is the question, is the importing of red hat csaf files the only way of determining sbom statuses and package statuses? If I import my company sboms and then only import all the advisories from the CVE project, is it expected to have some sboms with statuses (affected, not affected, etc)?
I am asking because in my mind, an external company would not decide to import the red hat csaf files and for me, personally, it should be enough (even if not perfect) to import advisories from the CVE project or other open sources not strongly related to red hat advisories. WDYT guys?