C004 — Fix Availability for Vulnerable Open Source Components — Self-Audit

Contents

• Process Audit (Analytical Domains)
• Source-Back Verification

Process Audit (Analytical Domains)

Domain	Rating	Rationale
Evaluation Consistency	Pass	Sonatype (vendor source, high conflict of interest) and Moderne (vendor source, high conflict of interest) were both flagged for commercial bias. Neither was given undue credibility despite both provi
Synthesis Fairness	Concern	The synthesis may slightly over-weight the Moderne finding (only 30% patch bumps) relative to the Sonatype finding (95% fix available). The Moderne data is from Java repositories only, while the Sonat

Source-Back Verification

Sources verified: 3

No discrepancies found.

← Back to item overview