search

AppThreat / vulnerability-db

Vulnerability database and package search for sources such as Linux, OSV, NVD, GitHub and npm. Powered by sqlite, CVE 5.0, purl, and vers.
MIT License
85 stars 22 forks source link

purl prefix data quality issues #153

Closed prabhu closed 1 week ago

prabhu commented 1 week ago 
CVE-2019-19985 | icegram | icegram | email_subscribers_\&_newsletters | vers:icegram/<4.2.3 | pkg:generic/icegram/email_subscribers_\&_newsletters
pkg:generic/icegram/email_subscribers_\&_newsletters
CVE-2019-17384 | eleopard | animate_it\ | animate_it\! | vers:eleopard/<2.3.6 | pkg:generic/animate_it\/animate_it\!
prabhu commented 1 week ago 
CVE-2019-17384 | eleopard | animate_it\ | animate_it\! | vers:eleopard/<2.3.6 | pkg:generic/animate_it\/animate_it\!
prabhu commented 1 week ago 
CVE-2019-14686 | trendmicro | trendmicro | antivirus_\+_security_2019 | vers:trendmicro/15.0 | pkg:generic/trendmicro/antivirus_\+_security_2019
prabhu commented 1 week ago 
CVE-2019-15996 | cisco | dna_spaces | dna_spaces\ | vers:cisco/_connector | pkg:generic/dna_spaces/dna_spaces\
prabhu commented 1 week ago

https://github.com/AppThreat/vuln-list/blob/main/nvd/2021/CVE-2021-27434.json

cpe:2.3:a:unified-automation:.net_based_opc_ua_client\\/server_sdk:*:*:*:*:*:*:*:*

results in

pkg:generic/.net_based_opc_ua_client\/server_sdk
prabhu commented 1 week ago

This mostly affects the NVD source. While CPE can contain special characters such as brackets, & and commas, this needs to be cleaned up before conversion to a purl prefix. This cleaning logic can be exposed to calling applications to perform normalization.

pkg:generic/[gwa]_autoresponder_project/[gwa]_autoresponder
pkg:generic/acowebs/product_labels_for_woocommerce_(sale_badges)

pkg:generic/active_directory_integration_/_ldap_integration

pkg:generic/amadercode/dropshipping_&_affiliation_with_amazon

pkg:generic/bitcoin_/_altcoin_payment_gateway_for_woocommerce

pkg:generic/call&book_mobile_bar_project/call&book_mobile_bar

pkg:generic/camsbiometrics/zkteco,_essl,_cams_biometrics_integration_module

pkg:generic/cancel_order_request_/_return_order_/_repeat_order_/_reorder_for_woocommerce

pkg:generic/clinic's_patient_management_system_project/clinic's_patient_management_system
pkg:generic/codesys/control_rte_(for_beckhoff_cx)_sl
pkg:generic/codesys/control_rte_(sl)

pkg:generic/codesys/hmi
pkg:generic/codesys/hmi_(sl)
pkg:generic/codesys/hmi_sl

pkg:generic/display_post_meta,_term_meta,_comment_meta,_and_user_meta_project/display_post_meta,_term_meta,_comment_meta,_and_user_meta

pkg:generic/doctor's_appointment_system_project/doctor's_appointment_system
pkg:generic/doctor_appointment_system_project/doctor_appointment_system
pkg:generic/f(x)_toc_project/f(x)_toc

pkg:generic/felixmoira/popup_more_popups,_lightboxes,_and_more_popup_modules

pkg:generic/i2_pros_&_cons_project/i2_pros_&_cons
prabhu commented 1 week ago

There are instances where the vers string includes brackets.

vers:cisco/2.0\(0.249\)
vers:cisco/10.4\(2\)
vers:cisco/2.1\(0.474\)
vers:cisco/2.2\(1.145\)
vers:cisco/2.4\(0.247\)
vers:cisco/2.1\(0.474\)
vers:cisco/2.1\(0.904\)
vers:cisco/2.2\(0.470\)
vers:cisco/2.3\(0.298\)
vers:cisco/2.1\(0.904\)
vers:cisco/2.1\(102.103\)