rewrite mapping nix packages to cpe identifiers #61
Labels
Comments
henrirosten
added
enhancement
|
PR #71 partly resolves this issue, removing the dependency to to-be-retired legacy NVD json database. Second part of this issue, i.e. making the CPE mapping more accurate still needs work, therefore, leaving this issue open but removing the priority label for now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NVD plans to retire legacy data feeds on 09/2023: https://nvd.nist.gov/products/cpe
Currently, sbomnix uses NVD "CPE Dictionary" in mapping the nix pakcages to CPE identifiers, see: https://github.com/tiiuae/sbomnix/blob/main/scripts/cpedict/update-cpedict.sh and https://github.com/tiiuae/sbomnix/blob/main/sbomnix/cpe.py.
We need to rethink how to properly do this in sbomnix to make it more accurate and so that it does not rely on the to-be-retired NVD data feed.
All suggestions or ideas how to improve the CPE mapping are welcome.
The text was updated successfully, but these errors were encountered: