Replies: 1 comment 1 reply
-
|
Hi @Sovenique, both your assumptions are correct. The attribution denotes when and by who a component was identified to be affected by a given vulnerability. Because the entire portfolio is scanned for vulnerabilities at least daily, attributions can appear way after a BOM was uploaded. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thank you so much for answering, Final remark, let's suppose we import a BOM that may introduce a new component which is vulnerable, this component will be attributed right away from the internal analyzer with the current date? Kind regards |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Greetings community,
I can't find any related information on the meaning of the
attributedOnJSON key(
findings: attribution: attributedOn:) that some API calls return.To my understanding, this date is when the internal analyzer (Ossindex Analyzer) labeled a component as vulnerable and this can occur anytime in the background analysis?
Some project components were labeled as vulnerable months after their last BOM importation and were attributed on with a newer date, so this is what this key means?
Thank you so much for your time!
Beta Was this translation helpful? Give feedback.
All reactions