Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider making evidence.identity mandatory #457

Open
prabhu opened this issue May 3, 2024 · 1 comment
Open

Consider making evidence.identity mandatory #457

prabhu opened this issue May 3, 2024 · 1 comment

Comments

@prabhu
Copy link
Contributor

prabhu commented May 3, 2024

We are seeing SBOM tools that are making up CPE and purl identifiers without offering evidence for identity. This is causing frustration, delays, and lack of trust in the tool and the process. Making the identity mandatory could help filter components with low confidence detection techniques.

@jkowalleck jkowalleck changed the title Consider making evidence.identity mandatory Consider making evidence.identity mandatory May 3, 2024
@stevespringett
Copy link
Member

Agreed that this is an issue. I've seen this a lot by smaller startups and open source projects, both of which typically do not have their own data science teams. These teams usually take the mess that is CPE, and target the CVEs more accurately than what CPE can natively do. This is especially common with tools that scan libraries and container images.

The approach taken by these tools is essentially "spray and pray". If you cast a wide enough net, you're bound to catch something. But as you say, these are generally pulled from thin air, or in some cases, are designed as a workaround to the data issues present in the NVD.

While this would be a breaking change, I think one approach we can do in the meantime is to work with the offending tool authors and have them voluntarily add this data.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants