new metrics in risk-security

[king-gao]

Toady more and more OSS is integrated from others OSS component. I see license conflict is already in license metrics section, In addition, vulnerabilities are one of the important indicators of security.

So , in this scenario ，can we metric the project vulnerabilities Complete and accurate.
we can through SBOM to find the vulnerabilities from the OSS project be integrated,and check are every vulnerabilities is correct and public the vulnerabilities in commuty?

[germonprez]

Thanks @king-gao @sgoggins can give some insight on this. I think this is something that we can cover with Augur but not sure how robust it is at the moment.

[king-gao]

Thanks @king-gao @sgoggins can give some insight on this. I think this is something that we can cover with Augur but not sure how robust it is at the moment.

Maybe we can use SBOM(the project OSS lists),we can sum the total vulnerabilities and dif with the project vulnerabilities:)

[germonprez]

The challenge that I always run into with vulnerabilities is how to discover them. The NIST NVD is deep but determining CPEs to find the vulnerabilities always proves to be a challenge.