You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are seeing SBOM tools that are making up CPE and purl identifiers without offering evidence for identity. This is causing frustration, delays, and lack of trust in the tool and the process. Making the identity mandatory could help filter components with low confidence detection techniques.
The text was updated successfully, but these errors were encountered:
Agreed that this is an issue. I've seen this a lot by smaller startups and open source projects, both of which typically do not have their own data science teams. These teams usually take the mess that is CPE, and target the CVEs more accurately than what CPE can natively do. This is especially common with tools that scan libraries and container images.
The approach taken by these tools is essentially "spray and pray". If you cast a wide enough net, you're bound to catch something. But as you say, these are generally pulled from thin air, or in some cases, are designed as a workaround to the data issues present in the NVD.
While this would be a breaking change, I think one approach we can do in the meantime is to work with the offending tool authors and have them voluntarily add this data.
We are seeing SBOM tools that are making up CPE and purl identifiers without offering evidence for identity. This is causing frustration, delays, and lack of trust in the tool and the process. Making the identity mandatory could help filter components with low confidence detection techniques.
The text was updated successfully, but these errors were encountered: