Add support for Red Hat advisory scans

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Proposal

The PossiblyAffectedOccurrencesFinder class only considers if the name and PURL type of a source package or component matches. This works for most advisories that we scan for, but it is not sufficient for Red Hat advisories. This is because Red Hat advisories consider the CPE when evaluating if a component version is vulnerable to an advisory.¹ This issue proposes filtering out any SBOM occurrences which do not have a CPE matching the one in the advisory.

Implementation plan

TODO

Verification

TODO

The exact methodology for the comparison is covered in detail in #424182 (comment 1714159132). ↩

Edited Aug 12, 2025 by 🤖 GitLab Bot 🤖