search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
538 stars 202 forks source link

Some fixed-by version data is incorrect and needs to be investigated #1290

Open johnmhoran opened 1 year ago

johnmhoran commented 1 year ago

While @pombredanne and I were reviewing the VCIO UI, it became clear that some of the data displayed in the Fixed by packages tab of the Vulnerability details page -- and thus the data in the DB -- is incorrect. The example was a query for VCID-2nyb-8rwu-aaag. The last 2 entries in the resulting Fixed by packages tab are

pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2
pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2.1

It seems counterintuitive that both of these versions would have been fixed rather than just one of them, and indeed an examination of the NVD Change History section for the CVE (https://nvd.nist.gov/vuln/detail/CVE-2020-36518#VulnChangeHistorySection) reflects that the vulnerability was fixed in 2.13.2.1 but not in 2.13.2.

image

johnmhoran commented 1 year ago

See also this related data-quality issue I opened recently: Some UI package queries return duplicate copies of the same Package URL.

DennisClark commented 4 months ago

It still may be useful to consider converting CPE values to PURLs. Needs some analysis to specify how that can be done in a consistent manner acceptable to the community.

DennisClark commented 4 months ago

We need to:

DennisClark commented 4 months ago

a useful reference here (thanks @keshav-space ):
https://github.com/scanoss/purl2cpe