JacquesLeRoux
commented
7 months ago Hi Arnout,
I was wondering about that. What about TLPs like Tomcat which have several stable released versions? How do they handle them?
Closed raboof closed 4 months ago
JacquesLeRoux
commented
7 months ago Hi Arnout,
I was wondering about that. What about TLPs like Tomcat which have several stable released versions? How do they handle them?
raboof
commented
7 months ago You can specify multiple version ranges (with the '+ Version' button), so those would typically specify a version range for each supported version line. You can see an example at https://www.cve.org/CVERecord?id=CVE-2023-46589
JacquesLeRoux
commented
7 months ago Ah yes indeed missed that, thanks Arnout.
The 'defaultStatus' field holds the status (affected/unaffected/unknown) that should be assumed for versions that do not match any of the version ranges specified for the advisory.
When not provided, it is assumed to be 'unknown' (https://github.com/CVEProject/cve-schema/blob/master/schema/v5.0/docs/versions.md#version-status-decisions).
This option can lead to confusion. I wonder if we should simple remove the option and always keep it at 'unknown' (or perhaps 'unaffected'), which seems like it'd usually be the intent.