Details
-
Task
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
False
-
-
False
Description
At the moment in the enrichment process we use weak links to look up the CVEs associated to vulnerability that involve searching the name and description for “CVE-*” like strings. This data is typically explicitly referenced in OVAL DB (and is usually strongly linked in the other data sources Clair uses), so Clair should be able to represent this relationship in a more concrete way. This reference data doesn’t only contain CVE type references but also vendor specific advisories (RHSAs in the case of Red Hat) and in the future we could be seeing Github security advisories. All this information would be useful.
Discussion on GH is here: https://github.com/quay/claircore/discussions/656
Attachments
Issue Links
- blocks
-
CLAIRDEV-38 Add enrichment support to sqlite datastore implementation
- Refinement
- is related to
-
CLAIRDEV-34 Show all Vulnerability aliases
- Refinement