You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am a PhD Student at NC State University. As part of our research, we are evaluating the existing tools that detect vulnerable dependencies. We have observed that the tools’ result can differ based on the strength of its vulnerability database. For our research, we are hoping to understand more on how tools like maven-security-versions maintain its vulnerability database. We’d be grateful if we get some responses for the below questions.
What are your sources for vulnerability data, e.g. NVD, OSS Index?
Do you have any process to discover open source vulnerabilities by yourselves, e.g. through monitoring bug repositories? If yes, is it possible to share with us a high level explanation of what you do?
When collecting vulnerability data from third-party databases (e.g. NVD), do you perform any curation and/or correction, e.g. discarding debated CVEs or correcting the affected version range? If yes, is it possible to share with us a high level explanation of what you do?
Thanks,
Nasif
The text was updated successfully, but these errors were encountered:
Hi,
I am a PhD Student at NC State University. As part of our research, we are evaluating the existing tools that detect vulnerable dependencies. We have observed that the tools’ result can differ based on the strength of its vulnerability database. For our research, we are hoping to understand more on how tools like maven-security-versions maintain its vulnerability database. We’d be grateful if we get some responses for the below questions.
Thanks,
Nasif
The text was updated successfully, but these errors were encountered: