Am Wed, 13 May 2015 18:53:43 +0530
schrieb Soumya Vardhan Singh <
soumyavar...@gmail.com>:
> I extracted the code that returns the data from individual pom files
> regarding library names, versions and group IDs. The problem that I
> have now is how to match library names and group IDs in this data
> with library names and vendor names used for creating CPE IDs by NVD.
> Is there a particular section in the code that solves this problem?
I once suggested, that we should just use CPE IDs which are generated
from the Maven coordinates. They would be easy to derive automatically
and if enough vendors pick up on this habbit it would greatly improve
the pssobilities to report library problems via CVEs.
However all people I suggested it to did not think it was a good idea,
so there is no way to map maven coordinates to CPEs. There are some
databases out there which might be able to map fingerprints to CVEs,
but generally speaking there is no good source/database for that. Java,
especially Open Source vendors do not match very well with CVEs. (the
best sources I have come by are manually maintained Alerts of the big
Linux vendors).
Gruss
Bernd