discussion: behaviour for binary checkers with no CVEs associated #3646
Labels
discussion
Discussion thread or meeting minutes that may not have any trivially fixable code issues associated
Comments
terriko
added
the
discussion
|
From discussion on #3633 It is currently the case that most checkers with no CVEs detected also dont' have valid CPE / vendor_product strings. We'll have to make sure any solution for #3628 can handle these appropriately. That said, if we have some sort of consistent way to represent these such as "leave the vendor_product blank or set it to a specific tuple" then that would make it easier to skip these checkers during normal operation and have them run only when a special flag was set or something. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I just closed #3633 from @ffontaine which would have removed a debianutils checker because it doesn't have any CVEs. On one hand, we're primarily a CVE scanner so it's kind of a waste of cycles to check for a product that doesn't have any CVEs associated with it. But I decided to keep it for two reasons:
Those of you who've been around this project a while know I have some mixed feelings about using cve-bin-tool for software composition analysis (that is, trying to guess what's in a binary blob), mostly because I don't think we're great at it. But the best tools I know of for this cost $$$ so I've gradually come to accept that maybe we're a useful tool for folk who don't have access to paid tooling. In the past year or so, we've started adding features to make it easier for us to do things like generate SBOM data.
But I'm wondering if we could limit the wasted cycles involved in keeping a checker that doesn't have security issues, so I'm opening this up for discussion: Does anyone have any brilliant ideas about the best way to do this?
To kick off brainstorming, here's some ideas that I don't love but might work:
The text was updated successfully, but these errors were encountered: