Comments (5)
@prabhu Here's an overview of the part of the document I am referring to from oasis.
from dep-scan.
How do other vendors handle this scenario? Any examples we can find from providers such as redhat?
from dep-scan.
@prabhu I'm afraid I don't know how vendors handle this - according to the generator section, Red Hat's CSAFs are produced using the Red Hat SDEngine, but I don't know any details.
The CSAF 2.0 schema is clear that it must be unique entries and there isn't any reason to store the exact same thing twice for the same vulnerability anyway. It doesn't have to be unique across the whole document, just in the ids attached per vulnerability. There's really only two ways to deal with this issue - either prevent duplicate IDs from being generated in the first place from the reference list, or remove them afterwards. The latter is quicker.
Here's Red Hat's Issues in SDEngine's CSAF implementation of advisories issue tracker
from dep-scan.
Does this tool help? Perhaps the product tree is used to link to all products that are related to the given vulnerability?
https://secvisogram.github.io/?tab=EDITOR
from dep-scan.
@prabhu This is unrelated to the product tree. The entries duplicated are in vulnerabilities, and their only fields are system_name and text - for the system that created the id, and the id itself, respectively. You can look at the test for format_references in test_csaf.py for examples of what this data looks like.
from dep-scan.
Related Issues (20)
- Feature: 1. more complete report in json and cyclonedx-json. 2. error when get sbom from trivy or syft. HOT 6
- Bug: cvss score is appearing as 0 from certain CVEs HOT 3
- Bug: cvss score for pypi vulnerabilities are incorrect HOT 1
- Bug: Pypi misses
- Feature: nu plugin
- Feature: pyproject.nix poc
- Feature: Support for nix packages
- [v6] Support for cpe based searches
- [v6] Prefer xz vdb over rafs
- Feature: VDB update frequency information HOT 2
- False-Positive: CVE-2020-14343 HOT 9
- False-Positive: CVE-2021-39913 HOT 7
- [FN] CVE-2023-5590 is not reported for [email protected] HOT 1
- False-Positive: I raised the topic on discord. I compared the DT, Depscan, and Grype analyzers. The results are presented in the table. I think it will be useful for correcting the quality of the analysis. HOT 1
- [dotnet] Runtime components naming
- [cdxgen 10.3.x] Breaking changes in cdxgen for go and npm HOT 1
- cargo:http is yielding a lot of false positives
- Bug: Reachability scan fails HOT 3
- [risk-audit] Detect use of Trusted publisher
- [container] almalinux 9.3 builds are broken
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dep-scan.