You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am currently using Dependency-Track to manage third-party vulnerabilities. I would like to use a single tool for both third-party and first-party vulnerabilities as well.
I discovered the Private Vulnerability Repository, which seems like a good fit for this use case. However, when testing it, I am unable to get internal vulnerabilities to be picked up by Dependency-Track’s vulnerability scanner. I have tried identifying affected components using both package URL and CPE, without success.
Is there a plan for a more intuitive way to model first-party vulnerabilities in Dependency-Track? For example, would it make sense to associate vulnerabilities directly with projects and versions rather than relying solely on PURL or CPE matching?
I am also unsure how internal vulnerabilities are intended to be managed day to day. As far as I can tell, they are only accessible through the Vulnerabilities view, but that view feels quite limited. For example, it seems to only search by vulnerability ID and does not allow filtering or sorting by severity or other useful attributes.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I am currently using Dependency-Track to manage third-party vulnerabilities. I would like to use a single tool for both third-party and first-party vulnerabilities as well.
I discovered the Private Vulnerability Repository, which seems like a good fit for this use case. However, when testing it, I am unable to get internal vulnerabilities to be picked up by Dependency-Track’s vulnerability scanner. I have tried identifying affected components using both package URL and CPE, without success.
Is there a plan for a more intuitive way to model first-party vulnerabilities in Dependency-Track? For example, would it make sense to associate vulnerabilities directly with projects and versions rather than relying solely on PURL or CPE matching?
I am also unsure how internal vulnerabilities are intended to be managed day to day. As far as I can tell, they are only accessible through the Vulnerabilities view, but that view feels quite limited. For example, it seems to only search by vulnerability ID and does not allow filtering or sorting by severity or other useful attributes.
I am using Dependency-Track version 4.13.3.
Beta Was this translation helpful? Give feedback.
All reactions