You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Why?
Many Linux distributions (debian/alpine/mariner) publish CVE data against source package names only, so this is required for users to CVE check against the output of component-detection.
Note: Syft doesn't always provide the source package name (it doesn't appear to provide this for ubuntu packages when the source and binary package names are the same).
The package name does not always line up 100% with the upstream or source name. For example some Linux distributions suffix the major version to differentiate i.e. python2 and python3. These should both be mapped back to python.
Initial code updates were introduced in these PRs: #88#126
But they need to be revisited after becoming stale and having a large number of conflicts.
We will reintroduce a PR to resolve this issue once there is enough priority.
The text was updated successfully, but these errors were encountered:
Why?
Many Linux distributions (debian/alpine/mariner) publish CVE data against source package names only, so this is required for users to CVE check against the output of component-detection.
Note: Syft doesn't always provide the source package name (it doesn't appear to provide this for ubuntu packages when the source and binary package names are the same).
The package name does not always line up 100% with the upstream or source name. For example some Linux distributions suffix the major version to differentiate i.e. python2 and python3. These should both be mapped back to python.
Initial code updates were introduced in these PRs: #88 #126
But they need to be revisited after becoming stale and having a large number of conflicts.
We will reintroduce a PR to resolve this issue once there is enough priority.
The text was updated successfully, but these errors were encountered: