Just scan an sbom, look for a direct dependency, click on the only edge and mark as false positive.
It will create such a vex rule in the database: [*, ROOT, pkg:golang/github.com/go-jose/v4...]
This is correct!
But it will be rendered on the client as such a vex rule: * > ROOT > pkg...
This looks stange and should be changed to: Your Application > pkg... (Removing any * in front of ROOT, replacing ROOT with Your Application).
Besides that, the rule is not applied at all.
Just scan an sbom, look for a direct dependency, click on the only edge and mark as false positive.
It will create such a vex rule in the database: [*, ROOT, pkg:golang/github.com/go-jose/v4...]
This is correct!
But it will be rendered on the client as such a vex rule: * > ROOT > pkg...
This looks stange and should be changed to: Your Application > pkg... (Removing any * in front of ROOT, replacing ROOT with Your Application).
Besides that, the rule is not applied at all.