Closed prabhu closed 4 years ago
This is going to take a bit of work and might likely break some structures used for serialization.
Ok, here is my big plan. Grafeas design just sucks! It duplicates Vulnerability details per note instead of working with reference - discussion. I am going to stick with using Vulnerability Occurence but enhance PackageIssue and Vulnerability Detail by adding support for :
min_affected_version_including min_affected_version_excluding max_affected_version_including max_affected_version_excluding
Well, ideally you would have an object for version numbers instead of string so maybe that is something to consider while working on this ticket.
There are known issues with version excludes not handled correctly. This is partly because of adopting grafeas data structures which does not support storing exclude details explicitly.
https://github.com/AppThreat/vulndb/blob/master/vulndb/lib/nvd.py#L164 https://github.com/AppThreat/vulndb/blob/master/vulndb/lib/gha.py#L145
The downside of this limitation is that there could be more false positives from this tool when the right excluded package gets used.