I thought I'd capture an umbrella issue for discussing a package of improvements for 5.2.0
A possible use-case based approach:
Use case 1: "Does this vulnerability apply to me?" "How do I make it not apply to me?"
- I have a programmatic way to identify the subject of the vulnerability
- I can cross-reference the product against an inventory of products I am concerned about
- I can scan a software source repository
- I can scan a container image or other installation of software binary artefacts
- I have a way to programmatically determine the version of the subject the vulnerability applies to
- I can determine if the installed version of software is affected by a vulnerability
Use case 2: "How do I prioritize the vulnerabilities that apply to me?"
- I have CVSS, EPSS etc scores to stack rank the vulnerabilities identifiable from use case 1, so that I can determine the next steps for responding to them
Use case 3: "How can I perform aggregate, historical analytics on the vulnerabilities that apply/did apply to me?"
- I can broadly bucket vulnerabilities to answer questions like "How many memory safety vulnerabilities impacted me last year?"
Some other general input validation issues worth noting here:
Related validation work happening elsewhere:
I thought I'd capture an umbrella issue for discussing a package of improvements for 5.2.0
A possible use-case based approach:
Use case 1: "Does this vulnerability apply to me?" "How do I make it not apply to me?"
Use case 2: "How do I prioritize the vulnerabilities that apply to me?"
Use case 3: "How can I perform aggregate, historical analytics on the vulnerabilities that apply/did apply to me?"
Some other general input validation issues worth noting here:
Related validation work happening elsewhere: