You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In #3990, @cinix has added the ability to read CPE info from CycloneDX triage data.
Some of the functions could use some additional input validation to make sure that the cpe conforms to expected format and that things like vendor/product/version don't have special characters in them. I expect for the moment we may see people using a lot of manually-edited triage files and typos are going to be more of a problem than malicious vex files, but we should treat it as untrusted data just in case. I expect a lot of the validation will look like the code we use in the PURL stuff that's been done recently; we might want to consider refactoring to re-use functions eventually.
The text was updated successfully, but these errors were encountered:
In #3990, @cinix has added the ability to read CPE info from CycloneDX triage data.
Some of the functions could use some additional input validation to make sure that the cpe conforms to expected format and that things like vendor/product/version don't have special characters in them. I expect for the moment we may see people using a lot of manually-edited triage files and typos are going to be more of a problem than malicious vex files, but we should treat it as untrusted data just in case. I expect a lot of the validation will look like the code we use in the PURL stuff that's been done recently; we might want to consider refactoring to re-use functions eventually.
The text was updated successfully, but these errors were encountered: