Open
Description
As of #109, our SBOM reports include a baseline of information about each package distribution and its vulnerabilities:
- Package name
- Package version
- Any CycloneDX-generated metadata for each of the above
- For each vulnerability:
- Vulnerability ID (like
PYSEC-*) - Human readable description
- An "Upgrade" recommendation
- Advisory versions for upgrade
- Vulnerability ID (like
It might be worth looking into iteratively expanding this information, using package/distribution metadata. Some potential inclusions would be:
- Package author and/or maintainer
- Package license
- For each vulnerability:
- Vulnerability "source" (i.e. PyPI, OSV, etc.)
- Additional cross-referencing IDs/URLs (CVEs, etc.)
- Additional weakness and vulnerability enumerations (CWEs, etc.)