search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
537 stars 202 forks source link

Empty `reference_id` values #1493

Open tdruez opened 4 months ago

tdruez commented 4 months ago

Looking at a Package details in the API, https://public.vulnerablecode.io/api/packages/?purl=pkg:pypi/django@5.0

It seems that we could do a better job at providing a reference_id in some cases:

{
    "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24680.json",
    "reference_id": "",
    "scores": [
        {
            "value": "7.5",
            "scoring_system": "cvssv3",
            "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
    ],
    "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24680.json"
},
{
    "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680",
    "reference_id": "",
    "scores": [],
    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24680"
},
{
    "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml",
    "reference_id": "",
    "scores": [
        {
            "value": "5.9",
            "scoring_system": "cvssv3.1",
            "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
            "value": "MODERATE",
            "scoring_system": "generic_textual",
            "scoring_elements": ""
        }
    ],
    "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml"
},

....

pombredanne commented 1 month ago

Note that an empty ref id is not a bug per se.