Replies: 3 comments
-
|
Sorry to say they won't go away. you'd need to either delete the project(s)
or their components and re-upload the BOM to reanalyze them. I tried to
code it to remove Vulnerabilities that no longer matched when re-scanned
but this had multiple issues given the way the scanner functioned.
What is it that flabbergasts you specifically?
…On Thu, Jul 25, 2024 at 9:26 AM piotr.baltrukiewicz < ***@***.***> wrote:
Hi everyone - I'm not sure how the CPE fuzzy matching works when you
change the setup in Analyzers/Internal screen. If you turn it on, it will
create new vulnerabilities - what will happen if we turn it off again?
Would the "fuzzy" vulnerabilities vanish?
I'm a bit flabbergasted how this behaves.
—
Reply to this email directly, view it on GitHub
<#4006>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAG4CXSRYWL3ZATBIEU5BSLZOEDKNAVCNFSM6AAAAABLOVVED6VHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZWHE3TMNZYHE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
We are playing with this option and we are not entirely satisfied with this approach - frankly, I don't understand why those vulnerabilities will not go away if too many false positives are detected and we want to come back to previous setup. Deleting the project is not an option - we have multiple assessment made on various projects and we have to many teams to keep on track on how this will affect them. The re-upload of the SBOM seems like an reasonable workaround but how this will affect current projects? Would that remove assessments? Or just the scanning will be retriggered and "fuzzy" vulnerabilities will vanish? Currently we have a process of daily scanning/reuploading the SBOM - if that's the case the "fuzzy" vulnerabilities will change between the days if the fuzzy option was put on off? And final question - if I will click the fuzzy option to on now, when the reanalyze take place? Right away or during the next reanalysis cycle as per task scheduler? |
Beta Was this translation helpful? Give feedback.
-
|
I'm sorry; I took your last questions as rhetorical. To answer them honestly, I don't know. If it's a significant concern, I'd set up a test instance to verify behavior for this and future configuration changes you'd like to play with, but I'm not part of the DT team.
|
Beta Was this translation helpful? Give feedback.
-
Hi everyone - I'm not sure how the CPE fuzzy matching works when you change the setup in Analyzers/Internal screen. If you turn it on, it will create new vulnerabilities - what will happen if we turn it off again? Would the "fuzzy" vulnerabilities vanish?
I'm a bit flabbergasted how this behaves.
Beta Was this translation helpful? Give feedback.
All reactions