Should the apache_httpd importer include data re fixed versions from httpd.apache.org/security/ HTML files?

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

Apache License 2.0

531 stars 201 forks source link

Exploring the json URL we currently use in the apache_httpd.py fetch_links() function (https://httpd.apache.org/security/json/), if I navigate up 1 step to https://httpd.apache.org/security/, I see that https://httpd.apache.org/security/ contains links to 4 HTML files (listed below), each of which contains information re which CVEs are fixed in which versions of Apache HTTP Server.

https://httpd.apache.org/security/vulnerabilities_13.html
https://httpd.apache.org/security/vulnerabilities_20.html
https://httpd.apache.org/security/vulnerabilities_22.html
https://httpd.apache.org/security/vulnerabilities_24.html

Do we want to fetch, analyze and include this information in the fixed_version field of the affected_packages list for each advisory/CVE?

aboutcode-org / vulnerablecode

Should the apache_httpd importer include data re fixed versions from httpd.apache.org/security/ HTML files? #1019