I was thinking about why we have SBOMs and took it to the next level. Users use SBOMs in order to know the entire stack of software they are running. This allows them to know whether the products that they use are subject to known vulnerabilities. But in order to take advantage of this, they need to monitor CVE activity and manually scan their products' SBOMs every time a CVE is announced.
Is there any thought given to automate this process? Perhaps users could register their list of products on a service such that any time any of their products had a CVE they would receive a specific notice of that CVE? This is out of scope for Tooling. Anyone know if such a service exists out in the wild? Craig Craig L Russell c...@apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For additional commands, e-mail: dev-h...@tooling.apache.org
