Minor ClairCore has the ability to search Maven for packages to get the groupID, artifactID, and version. We disable this to reduce network activity, but this means we may potentially miss vulnerabilities due to a potential lack of groupID from a pretty lacking MANIFEST.MF file.
We should consider opening up this network traffic and/or making this configurable.
Another option is for us to add the search results to a bundle. Take a look at https://github.com/aquasecurity/trivy-java-db for inspiration
- relates to
-
CLAIRDEV-93 java: central search can be load-bearing
-
- To Do
-
- links to
