RE: Is it possible to have feed-specific assessments of vulnerabilities?

Hmm, that didnt work as expected. I added a second instance of OSS-index as a vulnerability source and used that second source on a specific feed. I let the scheduled job run last night and tried to download a package with a vulnerability in another feed but despite the same settings being applied to both feeds, and the same vulnerability source being used I managed to download the vulnerable package in one feed but not the other?

@atripp Sorry, I completely missed your answer here.

I'm wondering, even if I create a second source for vulnerabilities - isn't the vulnerability (and related block or no-block) global? Would dual sources mean that there would be duplicates of each vulnerability? The assessment doesn't seem related to the source, but rather to the vulnerability, or is that only how it appears in the UI?

We have a usecase where one of our internal application wants to utilise our global feeds ability to scan for vulnerabilities and automatic assessment but they want their own feed to do their own assessments that are application-specific.

From what I've understood, scanning is feed-specific and blocking is feed-specific, but assessment is global? Am I missing something?

Hi!
Am I just a little bit dumb or illiterate or is there no way to edit a (manually added) vulnerability? Is the only option to deleted the old one and replace with a new one? In my case I want to edit the affected versions of a package and it seems very unintuitive having to create an almost identical new vulnerability just to accomplish that.