Supporting webjars and other re-packagings of software artifacts from other ecosystems #718
Comments
|
I think this would be beneficial to the current security vulnerability universe to do this. It should be acknowledged that this is not technically correct behavior, but it would help solve a very real problem in the short term. The technically correct behavior is for various SBOM and vulnerability scanners to correctly reach inside a webjar and report the NPM findings as NPM findings, not as java findings. However, this is not how much of the current scanners work. They will probably get there someday, but the space is still too new and there are other larger rocks to move first. I believe this is one of those instances where doing something that isn't technically correct, but solves an existing problem makes sense. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should re-packagings of software artifacts from other ecosystems be supported for automatic inclusion in security advisories?
As a specific example, there exists the webjars project which packages javascript packages up and makes them available on Maven for inclusion of js dependencies in a java project. It might be useful to have these automatically included on new npm advisories for which a webjars artifact exists
Continues discussions from #607
The text was updated successfully, but these errors were encountered: