You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What would you like to be added:
With the addition of anchore/syft#887 syft now is able to provide sha1 digests for java packages.
Grype should optionally (off by default) be able to use this data to query upstream java repository sources to enhance the fidelity of matching against vulnerability data that is based on Maven or other registry information.
Why is this needed:
Grype currently has a gap where, when trying to match off package name, it misses positive results for vulnerabilities stored by their upstream registry information (GHSA, MAVEN) rather than MANIFEST.MF naming conventions discovered at the time of SBOM generation.
Additional context:
See #704 for more context on this kind of miss-on-detection.
The text was updated successfully, but these errors were encountered:
What would you like to be added:
With the addition of anchore/syft#887 syft now is able to provide
sha1
digests for java packages.Grype should optionally (off by default) be able to use this data to query upstream java repository sources to enhance the fidelity of matching against vulnerability data that is based on
Maven
or other registry information.Why is this needed:
Grype currently has a gap where, when trying to match off package name, it misses positive results for vulnerabilities stored by their upstream registry information (GHSA, MAVEN) rather than
MANIFEST.MF
naming conventions discovered at the time of SBOM generation.Additional context:
See #704 for more context on this kind of miss-on-detection.
The text was updated successfully, but these errors were encountered: