Around one thousand affected products have a version specifier where version == lessThanOrEqual. This might be because of transformation from v4 schema. This situation in v5 schema however causes incomplete versioning information, since according to lessThanOrEqual documentation the matched version should be between closed interval [version, lessThanOrEqual], which when version == lessThanOrEqual covers only a single version. Usually descriptions of the CVE also specifies that earlier versions than version were affected, thus I believe this migration to be incorrect.
Some affected products have a version where version == lessThan + "*". This might be caused by v4 data containing version_affected == ">=". I am not sure what the correct transformation should be, but currently it produces strange result where the lessThan specifier might have a value for example 1.3.0*.
Problem a
Around one thousand affected products have a version specifier where
version == lessThanOrEqual. This might be because of transformation from v4 schema. This situation in v5 schema however causes incomplete versioning information, since according to lessThanOrEqual documentation the matched version should be between closed interval[version, lessThanOrEqual], which whenversion == lessThanOrEqualcovers only a single version. Usually descriptions of the CVE also specifies that earlier versions thanversionwere affected, thus I believe this migration to be incorrect.Some examples:
Problem b
Some affected products have a version where
version == lessThan + "*". This might be caused by v4 data containingversion_affected == ">=". I am not sure what the correct transformation should be, but currently it produces strange result where thelessThanspecifier might have a value for example1.3.0*.Some examples:
Thank you for your input