froh
commented
3 years ago I guess I'd have to move the VulnerabilityDetail construction all the way to storing of the severity into the severity scan loop above and use the cvuln.CVE instead of cvrf.Tracking.ID?
In the trivi.db "vulnerabity" bucket, the
CVE-yyyy-idis collecting "VendorSeverity", vendor specific "CVSS" scores and url "References" data from redhat, oracle, ubuntu, ... but not from SUSE.For SUSE, this data is instead stored only into a specific
SUSE-SU-...or òpenSUSE-SU-...` entry.The corresponding fields are available in the testing data pkg/vulnsrc/suse-cvrf/testdata. The SUSE specific CVSSScoreSets are empty here, but they are populated in more recent files, like cvrf/suse/opensuse/2015/openSUSE-SU-2015-0225-1.json
Is this a feature or a bug?
Should the SUSE VendorSeverity, CVSS and References from the be added to the CVE from the SUSE-*.json data? instead of creating a SUSE-SU item? or in addition?