You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems like there are cases where CVEs don't belong to any currently supported ecosystem, but there is not enough information available to filter them out before we try to map them to packages name from supported ecosystems. And it happens that there is a package with similar name, but since ecosystem is incorrect, such mappings are always false positives.
We could remember which (vendor, product) pairs were marked as false positives by reviewers and automatically filter out new CVEs with the same pair based on feedback from previous reviews.
Marek also had an idea than we could remember (vendor, product) pairs which were previously successfully mapped to a package and next time when we encounter the same pair, we could with high-enough confidence say what the package name is (this should work nicely work ecosystems like Python and Node.JS).
The text was updated successfully, but these errors were encountered:
It seems like there are cases where CVEs don't belong to any currently supported ecosystem, but there is not enough information available to filter them out before we try to map them to packages name from supported ecosystems. And it happens that there is a package with similar name, but since ecosystem is incorrect, such mappings are always false positives.
We could remember which (vendor, product) pairs were marked as false positives by reviewers and automatically filter out new CVEs with the same pair based on feedback from previous reviews.
Marek also had an idea than we could remember (vendor, product) pairs which were previously successfully mapped to a package and next time when we encounter the same pair, we could with high-enough confidence say what the package name is (this should work nicely work ecosystems like Python and Node.JS).
The text was updated successfully, but these errors were encountered: