Right, forging CVEs may be a serious problem, thanks for bringing this up.
> On 15. Mar 2022, at 13:41, Romain Manni-Bucau wrote:
>
> Hi,
>
> I got a lot of false positives too but wonder why CPE coordinates are not
> able to use the gavtc coordinates, it sounds easy to do instead of using a
>
Hi,
I got a lot of false positives too but wonder why CPE coordinates are not
able to use the gavtc coordinates, it sounds easy to do instead of using a
bucket for all artifacts.
I don't think artifacts should be able to give their own id since it would
enable to bypass identified CVE or "steal CV
thanks for your fast reply, Brian!
If I'm not mistaken from a CPE's perspective each published artifact is its own
"product", no matter of whether it's being build as part of a bigger project.
Furthermore the CPEs don't get derived from Maven GAV (and I would not
force-derive anything if the va
Hi Sebastian,
The challenge is that CPE as a coordinate system doesn’t have enough
specificity to match artifacts. It has organization/product/version and
therefore doesn’t have the ability to capture sub module. This is what
leads to most of the mismatch issues seen in CVE based tools (but not al
Hi,
I'm new on this mailing list and this might not be the appropriate place to
discuss ideas to extend the pom format, so please redirect me to the right
place ;-)
We've recently had a lot of struggles with both false positives and false
negatives with a vulnerability scanner, as there is no
