[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Notice of Pilot Activity in CVE Auto WG - Supporting NVD's Participation

So I just learned about grafeas (did a podcast with Chris Rosen as guest), anyways TL;DR: they are basically doing similar things with JSON including something that is very similar to the alias field I proposed:


Component Type Identifier Example
Debian deb://dist(optional):arch:name:version deb://lucid:i386:acl:2.2.49-2
Docker https://Namespace/name@sha256: https://gcr.io/scanning-customer/dockerimage@sha256:244fd47e07d1004f0aed9c156aa09083c82bf8944eceb67c946ff7430510a77b
Generic file file://sha256::name file://sha256:244fd47e07d1004f0aed9c156aa09083c82bf8944eceb67c946ff7430510a77b:foo.jar
Maven gav://group:artifact:version gav://ant:ant:1.6.5
NPM npm://package:version npm://mocha:2.4.5
NuGet nuget://module:version nuget://log4net:9.0.1
Python pip://package:version pip://raven:5.13.0
RPM rpm://dist(optional):arch:name:version rpm://el6:i386:ImageMagick:

So the above is similar in that you have a defined namespace and then some value. 

I'm going to reach out to them to see what we can do to coordinate/cooperate as they seem to have some good ideas, especially around consumption of the data in automated ways.

Kurt Seifried

Page Last Updated or Reviewed: March 13, 2018