And just to add to that:
> 3. To find if a vulnerability in an application is **exploitable** is an
even harder problem. IMHO, the appropriate tool for that is a
Vulnerability Exploitability eXchange(VEX)[6] and it should also be
handled by the community. I wrote a small example[7] on how this kin
I've used the OWASP dependency check Maven plugin:
https://owasp.org/www-project-dependency-check/
Is this the kind of checks we're talking about?
Gary
On Thu, Mar 20, 2025, 06:16 Piotr P. Karwasz
wrote:
> Hi Craig,
>
> On 19.03.2025 21:11, Craig Russell wrote:
> > Users use SBOMs in order to
Hi Craig,
On 19.03.2025 21:11, Craig Russell wrote:
Users use SBOMs in order to know the entire stack of software they are running.
This allows them to know whether the products that they use are subject to
known vulnerabilities. But in order to take advantage of this, they need to
monitor CV
VEX files are what may be used to report vulnerabilities. It’s somewhat
orthogonal to a release’s SBOM,
Piotr, VP, ECMA and Arnout from Security are discussing this topic. ATR will
make recommendations as Security policies evolve.
Best,
Dave
> On Mar 19, 2025, at 1:27 PM, Dominik Psenner wrot
Hi Craig
At dayjob this has been part of a antivirus solution we have in production
use for long. It scans computers, knows software and versions, knows what
is running and aligns that with CVEs. Don't know if that is already
scraping SBOMS to gain a better picture about the software. Since it is
I was thinking about why we have SBOMs and took it to the next level.
Users use SBOMs in order to know the entire stack of software they are running.
This allows them to know whether the products that they use are subject to
known vulnerabilities. But in order to take advantage of this, they ne
