|
|
|
|
|
|
by pombreda
373 days ago
|
|
|
> isn't the issue that sometimes a given scanner can't know from where the package is sourced? That's the problem: there is no metadata with or in libssl.so.1 that I can reliably use to tell what this is Eventually I can see a solution made of 1. create the metadata, say a simple YAMl or deb822 key-valud pair file that can then be included upstream or as an overlay
2. define a simple spec for binary formats to include a PURL (say in an ELF section or a WinPE string or sorts, where many of these are already stored)
3. create content-based tools like we have in PurlDB to match code, but may be more like a bunch of generated yara rules that would match symbols and strings from source to binaries and can recognize that libssl.so.1 is from OpenSSL 1.1.1g. |
|
|