|
|
|
|
|
|
by flotwig
1019 days ago
|
|
|
Looks like cURL and SQLite have the same woes: https://www.sqlite.org/cves.html Previously I worked on an open source project that pulled in many third party libraries. Users would run their corpo vulnerability scanners on the project and find dependencies with open CVEs and demand fixes, not understanding that in our usage of the libraries, the vulnerability is not exposed. I think in 4 years, we had users open roughly 50 issues like this, which corresponded to exactly 0 real world exploitable issues. A central vuln DB makes sense for sysadmins, but too many make it the end-all-be-all. |
|
|