[feature] Investigate if artifacs can/should be used in VEX files #1016
Labels
enhancement
New feature or request
Comments
|
I feel like we should be able to satisfy the case through traversal, of course subject to being able to distinguish what we're looking for like in the #594 . Looking forward to seeing some VEX statements! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
During development of VEX CSAF support there was left open to investigate whether artifacts can be used alongside PURLs.
Describe the solution you'd like
Make a clear case with test data if we need to support artifacts in this case and implement it.
Additional context
Spec remark found by @pxp928:
[product_id] and [subcomponent_id] MAY be URIs, URLs, hashes, commit IDs, versions, version ranges, dates, date ranges, or any other identification system.One potential caveat from @lumjjb:
Only caveat is CertifyVuln doesnt apply to artifacts, because it's meant to be part of the dependents (e.g. if on log4j, the CertifyVuln node points on log4j). I think there is a notion of VulnReport that we used to have which we removed. Maybe that's a separate discussion point to have.The text was updated successfully, but these errors were encountered: