Replies: 2 comments
-
|
Hello @jsdratm There are no such features at the moment to the best of my knowledge.
A CPE could be valid even though there are no entries yet in the NVD. Just because there are no known vuln for this entry.
Then again, the assumption would be that you have declared possible private repositories for your package manager in your DT instance. This seems like a tricky business. |
Beta Was this translation helpful? Give feedback.
-
|
One thing I would like to comment on is the existence of deprecated CPE's. when CPE's get deprecated, If The deprecatedBy field is not-empty, This could be flagged to the user (even including the replacement CPE to do an assesment).... sometimes deprecated CPE's lead to a stop of vulnerability analysis, but this is not visible now. |
Beta Was this translation helpful? Give feedback.
-
I was wondering if Dependency-Track has the ability to show whether a CPE or PURL appears to be valid.
For example, if you have a CPE, is there a corresponding entry in the NVD? If you have a PURL, is there a corresponding package in the appropriate package manager? If I import an SBOM and don't find vulnerabilities, sometimes it is because of a typo in the CPE or PURL and I think something like this would help to make sure that you aren't missing valid vulnerabilities by mistake. If there is already capability like this in the tool, great!
Beta Was this translation helpful? Give feedback.
All reactions