Closed
Description
In #3990, @cinix has added the ability to read CPE info from CycloneDX triage data.
Some of the functions could use some additional input validation to make sure that the cpe conforms to expected format and that things like vendor/product/version don't have special characters in them. I expect for the moment we may see people using a lot of manually-edited triage files and typos are going to be more of a problem than malicious vex files, but we should treat it as untrusted data just in case. I expect a lot of the validation will look like the code we use in the PURL stuff that's been done recently; we might want to consider refactoring to re-use functions eventually.
Metadata
Metadata
Assignees
Labels
No labels