Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new metrics in risk-security #90

Open
king-gao opened this issue Mar 26, 2020 · 3 comments
Open

new metrics in risk-security #90

king-gao opened this issue Mar 26, 2020 · 3 comments

Comments

@king-gao
Copy link
Member

king-gao commented Mar 26, 2020

Toady more and more OSS is integrated from others OSS component. I see license conflict is already in license metrics section, In addition, vulnerabilities are one of the important indicators of security.

So , in this scenario ,can we metric the project vulnerabilities Complete and accurate.
we can through SBOM to find the vulnerabilities from the OSS project be integrated,and check are every vulnerabilities is correct and public the vulnerabilities in commuty?

@germonprez
Copy link
Contributor

Thanks @king-gao @sgoggins can give some insight on this. I think this is something that we can cover with Augur but not sure how robust it is at the moment.

@king-gao
Copy link
Member Author

Thanks @king-gao @sgoggins can give some insight on this. I think this is something that we can cover with Augur but not sure how robust it is at the moment.

Maybe we can use SBOM(the project OSS lists),we can sum the total vulnerabilities and dif with the project vulnerabilities:)

@germonprez
Copy link
Contributor

The challenge that I always run into with vulnerabilities is how to discover them. The NIST NVD is deep but determining CPEs to find the vulnerabilities always proves to be a challenge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants