Andrés Tito

Hi @nscuro we would like to discuss our approach to tackle this issue.  > The most desired approach would be to favor CVE's over any of the alternative identifiers....

> Why not to use some internal Dependency-Track id (e.g. INT-1234) as a main identifier for vulnerabilities and put identifiers from public vulnerability databases in the alias section from the...

> Not sure if I fully understand the PR. Does it only one vulnerability, the one from the source with the highest priority? > > It feels to me that...

Hi @valentijnscholten @nscuro Thank you for your comments on the PR. You're right that a more ideal solution would be to **modify the data model** to have one vulnerability with...

> Can you be more specific about which part of DT you are referring to? i.e. what are _all vulnerabilities that are given_ ? Depending on the Task Scheduler, specifically...

I like the NIST implementation, so I plan to update` updateVulnerability` to start using` differ.applyIfChanged()`. To avoid unnecessary reads, I will first compare `transientVulnerability.getUpdated()` against` vulnerability.getUpdated()` to check if there...

This could be a first approach to solving the issue; however, I still see a logic problem with` synchronizeVulnerability`. ```java private boolean isChanged(Vulnerability vulnerability, Vulnerability transientVulnerability) { return vulnerability.getUpdated() ==...