Group/Vendor information is not used during search

AppThreat / vulnerability-db

Vulnerability database and package search for sources such as Linux, OSV, NVD, GitHub and npm. Powered by sqlite, CVE 5.0, purl, and vers.

MIT License

93 stars 22 forks source link

Group/Vendor information is not used during search #2

Closed prabhu closed 4 years ago

prabhu commented 4 years ago

Package search is purely based on name and version string

https://github.com/AppThreat/vulndb/blob/master/vulndb/lib/db.py#L114

This leads to situations where same packages belonging to different vendors could get flagged up erroneously (false positives). For example, postgresql client could be mis-interpreted as the server since the names are the same differing only in the group.

Some effort is required to fix this limitation

prabhu commented 4 years ago

There is now an api for performing vendor, name and version based searches - https://github.com/AppThreat/vulndb/blob/master/vulndb/lib/db.py#L142

Such searches are non-indexed but are still performant to an extent.