| ▲ | dlor 5 hours ago | |
Enriching does a few things, but the main ones are adding CVSS information and CPE information. CVSS (risk) is already well handled by other sources, but CPE (what software is affected) is kind of critical. I don't even know how they're going to focus enrichment on software the government uses without knowing what software the CVEs are in. | ||
| ▲ | DeepYogurt 4 hours ago | parent [-] | |
CPE is a joke. The offical spec doc asserts that correctness of names is not in scope for the spec. See section 5. Well-Formed CPE Name Data Model | ||