Protecting the investment in Vulnerability Analysis #1961
flemminglau
started this conversation in
Ideas
Replies: 2 comments 7 replies
-
Hello @flemminglau DT support VEX which fit right into your use case from where I stand. A VEX is basically a SBOM with a That's a least the way we are dealing with this in my company. You can find some examples here https://github.com/CycloneDX/bom-examples/tree/master/VEX |
Beta Was this translation helpful? Give feedback.
7 replies
-
That's my understanding. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
One great thing about DT is that basically all data in there can be automatically recreated from the BOM files and automatically from external sources.
Except from the Vulnerability handling. This will be entered manually and as it looks at the moment cannot easily be exported and restored.
(I just raised #1958 so it is not only difficult. Actually it is impossible to restore as it stands.)
If using DT for real for this the Violation handling can represent countless hours of invested analysis work. It would be really great if this information could be safeguarded by retaining it with the source code and not only in an external system which may disappear some day.
Is this aspect being looked at?
One option would be to support the exporting of the data in a format which could also be loaded. Or at least support that any "False Positive"->"Suppress" information can be loaded from an external source. Currently it seems one via the API has to identify such information via the Vulnerability UUID which is not very portable.
Beta Was this translation helpful? Give feedback.
All reactions