-
Notifications
You must be signed in to change notification settings - Fork 47
Vulnerability to package visibility #1430
-
As I understand, and I'm happy to be corrected, is that in V2 packages can be ingested from both SBOMs and Advisories.
In version 1 all packages would originate from ingested SBOMs.
That is all fine.
However in V2, if there is a vulnerability affecting a package that does not belong to an SBOM, then it not possible to see via the UI which package the vulnerability is associated with.
This vulnerability to package data is exposed on the SBOM Detail screen Vulnerabilities tab.
I would suggest we need a third tab (Related packages) on the Vulnerabilities detail screen.
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment
-
It might help to further clarify the potential UX improvement.
In the package details page, trustify provides the list of the vulnerabilities affecting it
Screenshot 2025年03月14日 at 16 14 20
On the other side, in the vulnerability details page there's no way to know the affected package(s) if they are not inside an already ingested SBOM
Screenshot 2025年03月14日 at 16 14 29
In this context, having a Related package tab in the vulnerability details page would help the browsing from packages to vulnerabilities and viceversa.
Beta Was this translation helpful? Give feedback.