Description
Per comment #91 (comment)
In general I like this, but it seems like it has bit of a vulnerability centric view versus a vulnerability in context of an assembled >piece of software view. An example to demonstrate.
I'm shipping ACME Widget Studio. CVE-EverythingIsOnFire, which affects component C, is published. Some segments of my dependency graph are as follows (X is ACME Widget Studio, * indicates a potentially exploitable component)...
X* -> A* -> B* -> C*
X -> D -> B* -> C*
X -> E -> C*
X* -> C*
The context of the CVE is quite different for each of those dependency graph segments.I might not be groking this right. But I'm not sure how I would represent these different scenarios in the same BOM.
2 and 3 aren't exploitable, for different reasons, which I want to communicate.
1 and 4 are potentially exploitable, depending.
Do I include the same vulnerability multiple times for each?
Also, maybe, "affects" should be changed to "appliesTo"?
AND
#91 (comment)
#91 (comment)
One possible solution is to support SARIF