Hi Jan, On Mon, 15 Apr 2024 at 14:20, von Loewenstein, Jan <jan.von.loewenst...@sap.com.invalid> wrote: > Now I am wondering if you report Tomcat vulnerabilities under any pURL and > which one that would be.
While it would be certainly possible to add a pURL to the NVD database, might I suggest a different way to use the pURLs of the components you bundle to retrieve vulnerability reports. The CycloneDX specification allows the creation of an interconnected network of SBOMs, VDRs and VEXes. At Apache Logging Services we decided to publish together with each release: * an SBOM file on Maven Central with a type `xml` and specifier `cyclonedx`. The SBOM itself is immutable, but it contains an URL to a mutable VDR file * a VDR file that contains the vulnerabilities of **all** our artifacts. If you happen to bundle `log4j-core` in your Docker image, you could: * start with the pURL of the bundled library: pkg:maven/org.apache.logging.log4j/log4j-core@2.23.1?type=jar * retrieve the SBOM from Maven Central[1], * find the "reference" element of type "vulnerability-assertion", * download the VDR file[2] and add all the vulnerabilities that affect that specific version to your VDR. This seems like a lot of work, but I believe there will be tools in the future that would allow you to do it automatically. There is even a CycloneDX working group (project Koala)[3] whose purpose is to make SBOMs and VDRs more discoverable. See [4] for details on how to get involved. Piotr [1] https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.23.1/log4j-core-2.23.1-cyclonedx.xml [2] https://logging.apache.org/cyclonedx/vdr.xml [3] https://github.com/CycloneDX/transparency-exchange-api [4] https://cyclonedx.org/about/participate/ --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
