You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
During development of VEX CSAF support there was left open to investigate whether artifacts can be used alongside PURLs.
Describe the solution you'd like
Make a clear case with test data if we need to support artifacts in this case and implement it.
Additional context
Spec remark found by @pxp928: [product_id] and [subcomponent_id] MAY be URIs, URLs, hashes, commit IDs, versions, version ranges, dates, date ranges, or any other identification system.
One potential caveat from @lumjjb: Only caveat is CertifyVuln doesnt apply to artifacts, because it's meant to be part of the dependents (e.g. if on log4j, the CertifyVuln node points on log4j). I think there is a notion of VulnReport that we used to have which we removed. Maybe that's a separate discussion point to have.
The text was updated successfully, but these errors were encountered:
I feel like we should be able to satisfy the case through traversal, of course subject to being able to distinguish what we're looking for like in the #594 . Looking forward to seeing some VEX statements!
Is your feature request related to a problem? Please describe.
During development of VEX CSAF support there was left open to investigate whether artifacts can be used alongside PURLs.
Describe the solution you'd like
Make a clear case with test data if we need to support artifacts in this case and implement it.
Additional context
Spec remark found by @pxp928:
[product_id] and [subcomponent_id] MAY be URIs, URLs, hashes, commit IDs, versions, version ranges, dates, date ranges, or any other identification system.
One potential caveat from @lumjjb:
Only caveat is CertifyVuln doesnt apply to artifacts, because it's meant to be part of the dependents (e.g. if on log4j, the CertifyVuln node points on log4j). I think there is a notion of VulnReport that we used to have which we removed. Maybe that's a separate discussion point to have.
The text was updated successfully, but these errors were encountered: