Very cool! I see you submitted as the author, are you working on this? I’m very excited by the potential interoperability of tools like this with SCA tools based on source code and binary analysis. At work we’re piloting release of machine readable security advisory documents (CSAF VEX or similar), and eventually would like to consume those or other advisories for matching against our internal SBOM’s.
Glad to hear that! I form part of the team at Exein that recently opensourced Kepler. The goal is to really flesh out the project to be embeddable (and interoperable) in many places. If you have any suggestions of sorts please do reach out to us via our GitHub community or issues/PRs. I’m very interesting in understanding more about your use-case(s).
This is sorely something the NVD/MITRE miss and really need to implement.
This seems similar in scope to what http://osv.dev/ (from Google) is currently doing? How large is the overlap and what is the future goals?