You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Toady more and more OSS is integrated from others OSS component. I see license conflict is already in license metrics section, In addition, vulnerabilities are one of the important indicators of security.
So , in this scenario ,can we metric the project vulnerabilities Complete and accurate.
we can through SBOM to find the vulnerabilities from the OSS project be integrated,and check are every vulnerabilities is correct and public the vulnerabilities in commuty?
The text was updated successfully, but these errors were encountered:
Thanks @king-gao@sgoggins can give some insight on this. I think this is something that we can cover with Augur but not sure how robust it is at the moment.
Thanks @king-gao@sgoggins can give some insight on this. I think this is something that we can cover with Augur but not sure how robust it is at the moment.
Maybe we can use SBOM(the project OSS lists),we can sum the total vulnerabilities and dif with the project vulnerabilities:)
The challenge that I always run into with vulnerabilities is how to discover them. The NIST NVD is deep but determining CPEs to find the vulnerabilities always proves to be a challenge.
Toady more and more OSS is integrated from others OSS component. I see license conflict is already in license metrics section, In addition, vulnerabilities are one of the important indicators of security.
So , in this scenario ,can we metric the project vulnerabilities Complete and accurate.
we can through SBOM to find the vulnerabilities from the OSS project be integrated,and check are every vulnerabilities is correct and public the vulnerabilities in commuty?
The text was updated successfully, but these errors were encountered: