Closed pereyra-m closed 1 year ago
Thanks again for raising this @pereyra-m
To explain, this actually related to https://github.com/canonical/ubuntu-com-security-api/issues/115. A status as far a CVE is concerned can mean two separate things: the actual CVE status ("not-in-ubuntu", "active", "rejected") and the status of a package in relation to a specific Ubuntu release ("released", "DNE", "needed", "not-affected", "deferred", "needs-triage", "ignored", "pending") . The status
parameter refers to package status. I added the ability to query by cve_status
in this pr, however the default functionality of returning only active CVEs unless otherwise specified remains unchanged.
As this CVE has a status of "not-in-ubuntu" adding that as a param to your query would fix this issue: https://ubuntu.com/security/cves.json?limit=1&q=CVE-2021-1345&cve_status=not-in-ubuntu
Obtaining the CVE individually as you mentioned above was unaffected because that calls a separate endpoint which does not filter by active CVEs by default.
I'm closing this as it is now behaving as expected, but please feel free to reopen this issue if you continue to have problems.
Great! Thank you!
Summary
There are certain vulnerabilities that can be obtained individually but aren't returned by the general API using a filter. See example below.
Process
This CVE can be obtained individually
And also in the
cves.json
endpoint using a filterBut with another CVE we have a different behavior. This CVE can be obtained individually
But not using a filter
Current and expected result
It seems that the
cves.json
endpoint doesn't contain all the available vulnerabilities.This endpoint should have the same content than the
cves/{cve_id}.json
one.Browser details
Brave browser: [Versión 1.43.89 Chromium: 105.0.5195.102 (Build oficial) (64 bits)]