Make inference strategy for PURLs a configurable option
Closed this issue · 0 comments
elanzini commented
To test the effectiveness of the different heuristics used for the guesswork, the strategy will be separated in 4 different options:
none
: no guessing is performedrepos
: repo URLs are extracted from references of the vulnerability and cross-checked against a cached map that assigns each repo_url to a partial PURLcpes
: base CPEs provided by NVD are cross-checked against a cached map that matches the base_cpe with a partial PURL.both
: both strategies are employed
Note: all the maps are build beforehand crawling the respective ecosystems (e.,g. mvn, pypi) and from the CPE dictionary provided by NVD.