You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At present, when uploading SBOMs for an Amazon Linux 2023 based AMI, the AMI is reported as "not vulnerable" because the SBOM contains packages prefixed with amzn (or similar). The end result is that no security vulnerabilities are reported by Dependency Track on these AMIs - even though Amazon's own AWS Inspector or the Amazon Linux Security Center reports multiple issues.
Proposed Behavior
Include Amazon Linux Security Center vulnerability feeds as another data source. They apply specifically for Amazon Linux packages so it should not interfere with other data source providers.
Depending upon complexity we are happy to help implement this, but would require guidance on the best way forward.
Thinking ahead there are similar requirements for GCP / Azure too.
Current Behavior
At present, when uploading SBOMs for an Amazon Linux 2023 based AMI, the AMI is reported as "not vulnerable" because the SBOM contains packages prefixed with
amzn
(or similar). The end result is that no security vulnerabilities are reported by Dependency Track on these AMIs - even though Amazon's own AWS Inspector or the Amazon Linux Security Center reports multiple issues.Proposed Behavior
Include Amazon Linux Security Center vulnerability feeds as another data source. They apply specifically for Amazon Linux packages so it should not interfere with other data source providers.
Example would be to incorporate the output of Amazon Linux Security Center via RSS feed or similar.
Checklist
The text was updated successfully, but these errors were encountered: