From 6ff3ddf670d367e0bb94ac1ecbc16a7b84c44da3 Mon Sep 17 00:00:00 2001 From: Hayley Denbraver Date: Sun, 5 Nov 2023 14:54:29 -0800 Subject: [PATCH] Update gcp/appengine/blog/content/posts/introducing-broad-c-c++-support/index.md --- .../blog/content/posts/introducing-broad-c-c++-support/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gcp/appengine/blog/content/posts/introducing-broad-c-c++-support/index.md b/gcp/appengine/blog/content/posts/introducing-broad-c-c++-support/index.md index 5dc38fea30e..ab46b599813 100644 --- a/gcp/appengine/blog/content/posts/introducing-broad-c-c++-support/index.md +++ b/gcp/appengine/blog/content/posts/introducing-broad-c-c++-support/index.md @@ -54,7 +54,7 @@ Fortunately both cpp-httplib and ffmpeg have fixes for these vulnerabilities and Vendored dependencies are included in a project by simply copying the code into the repository. Git commit information is not retained, so we need another way to determine whether a vulnerability is present. In these cases, OSV-Scanner uses the [determineversion API](https://google.github.io/osv.dev/post-v1-determineversion/) to estimate each dependency’s version (and associated commit), and match it to any known vulnerabilities. -When we [released the API](https://osv.dev/blog/posts/using-the-determineversion-api/) in July, its use was limited to vulnerabilities found by [OSS-Fuzz](https://google.github.io/oss-fuzz/). Not all C/C++ projects are part of OSS-Fuzz, nor are all vulnerabilities for a given dependency found by OSS-Fuzz, so users could not find all the vulnerabilities associated with their project. With the addition of the commit level vulnerability data from the NVD, this gap has been significantly narrowed. **The determineversion API, and the associated OSV-Scanner functionality, can now be used for the majority of vendored C/C++ dependencies.** +When we [released the API](https://osv.dev/blog/posts/using-the-determineversion-api/) in July, its use was limited to vulnerabilities found by [OSS-Fuzz](https://google.github.io/oss-fuzz/). Not all C/C++ projects are part of OSS-Fuzz, nor are all vulnerabilities for a given dependency found by OSS-Fuzz, so users may not find all the vulnerabilities associated with their project. With the addition of the commit level vulnerability data from the NVD, this gap has been significantly narrowed. **The determineversion API, and the associated OSV-Scanner functionality, can now be used for the majority of vendored C/C++ dependencies.** Let’s consider the [OpenCV](https://github.com/opencv/opencv) project, which uses vendored dependencies. Working from commit `e9e6b1e22c1a966a81aca1217b16a51fe7311b3b`, OSV-Scanner is able to find a number of vulnerabilities from the vendored dependencies including: