Re: cve-checker name collisions
On Mon, Jan 27, 2020 at 10:16:16AM +0200, Anders Montonen wrote:
On 24 Jan 2020, at 12:54, Ross Burton <firstname.lastname@example.org> wrote:I always search for existing CVEs for the SW component and check whatThanks (and to Mikko too), that worked, though I’m a bit curious how one would find the proper vendor name, especially for a project like this where there’s no clear company name.
project and product names were used.
For flex, Internet search shows for example
which has "flex_project:flex" in NVD:
In my projects I also have exported CVE_PRODUCT to buildhistory and
have a check for CVE product name. Any SW components with non-CLOSED
LICENSE must either have a matching CPE in NVD database or be checked
manually and whitelisted.