Open
Description
When doing vulnerability management, it would be useful to track a global, dataspace Package a default purpose and default deployment.
This is an important context item for vulnerability mitigation prioritization.
- For instance, the Python sphinx doc tool is a "tool" by default.
- Junit is for tests in Java by default, and not deployed by default.
Given a vulnerability that affects a package, its default deployment and default purpose matters as this context should lower the actual risk exposure for this vulnerability. This could be an important part of a policy. The same data could be further set at the product-package level and would override the global dataspace- or purldb-level attributes.
These data items could be fed from PurlDB, some can be inferred, a lot would be curated.