Discussion
Loading...

Post

  • About
  • Code of conduct
  • Privacy
  • Users
  • Instances
  • About Bonfire
daniel:// stenberg://
@bagder@mastodon.social  ·  activity timestamp 4 weeks ago

The other day me and @gregkh shot down a draft proposal to add a new role in the CVE ecosystem (SADP: "supplier ADP") that would append data to CVEs with details about dependencies and how they are or are not vulnerable to each particular CVE.

Imagine the amount of dependencies that use curl or the Linux kernel etc. These sweet innocent proposal makers thought in the terms of 5-10 dependencies per CVE. Not tens or hundreds of thousands which is far from unthinkable.

  • Copy link
  • Flag this post
  • Block
Jacques Chester
@jacques@mastodon.chester.id.au replied  ·  activity timestamp 4 weeks ago
@bagder@gregkh isn’t this what VEX is meant for?
  • Copy link
  • Flag this comment
  • Block
Matt "msw" Wilson
@msw@mstdn.social replied  ·  activity timestamp 2 weeks ago

@jacques @bagder @gregkh

ICYMI, here's a paper that was trying to answer this research question in the context of #OpenSource #Java projects on GitHub: "What do open-source maintainers think about integrating #VEX into their existing SBOMs?"

TL;DR: "In most cases, our augmented SBOMs were not directly accepted because developers required a continuous SBOM update."

https://dl.acm.org/doi/pdf/10.1145/3696630.3728513

#SBOM #CVE #InfoSec

  • Copy link
  • Flag this comment
  • Block
Matt "msw" Wilson
@msw@mstdn.social replied  ·  activity timestamp 2 weeks ago

@jacques @bagder @gregkh

ICYMI, here's a paper that was trying to answer this research question in the context of #OpenSource #Java projects on GitHub: "What do open-source maintainers think about integrating #VEX into their existing SBOMs?"

TL;DR: "In most cases, our augmented SBOMs were not directly accepted because developers required a continuous SBOM update."

https://dl.acm.org/doi/pdf/10.1145/3696630.3728513

#SBOM #CVE #InfoSec

  • Copy link
  • Flag this comment
  • Block
Log in

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances
Bonfire social · 1.0.0-rc.3.1 no JS en
Automatic federation enabled
  • Explore
  • About
  • Members
  • Code of Conduct
Home
Login