search

canonical / ubuntu-com-security-api

The API for CVEs and USNs data.
16 stars 9 forks source link

CVE web page and REST API does not yield correct results when "status=" is present in the link #144

Closed zilardcherry closed 2 months ago

zilardcherry commented 3 months ago

Summary

CVE web page and REST API does not yield correct results when "status=" is present in the link

Using the Fields and Drop-down lists from the web page will form a HTTP query link that will contain "status=" and when the Search button is pushed then it will return back incorrect results, i.e. all kinds of CVEs are listed from various packages

Process

Current and expected result

1.) Copy-paste these links into your browser (without "status="), it will generate 23 results (looks correct) https://ubuntu.com/security/cves?q=&package=apport&version=jammy https://ubuntu.com/security/cves?package=apport&version=jammy https://ubuntu.com/security/cves?q=&package=apport&priority=&version=jammy

2.) Now Copy-paste this link into your browser (WITH "status="), it will generate 21436 results (bad result, all kinds of CVEs listed from various packages) https://ubuntu.com/security/cves?q=&package=apport&version=jammy&status=

3.) Curling the REST API , without "status=" will end up in correct result curl -s -X GET -H "Content-Type: application/json" "https://ubuntu.com/security/cves.json?package=apport&version=jammy" "total_results":23

4.) Curling the REST API , WITH "status=" will end up in BAD result curl -s -X GET -H "Content-Type: application/json" "https://ubuntu.com/security/cves.json?package=apport&version=jammy&status=" "total_results":21436

Browser details

I used chrome for testing this

dsever commented 3 months ago

I can confirm the same 

curl 'https://ubuntu.com/security/cves.json?package=vim&version=focal'

limit":20,"offset":0,"total_results":178}

curl 'https://ubuntu.com/security/cves.json?
package=vim&version=focal&status=released&cve_status=active&show_hidden=false
"limit":20,"offset":0,"total_results":5947}

if I remove status then have back again 178

dsever commented 2 months ago

Can someone take a look it is still broken:

curl "https://ubuntu.com/security/cves.json?package=vim&status=released&version=bionic"

Results: 8956

zilardcherry commented 2 months ago

Hi CVE Team, any progress in fixing this issue?

mtruj013 commented 2 months ago

Hi @zilardcherry @dsever , we're working on this now and should have a fix up soon. Please continue to follow this issue for the latest

mtruj013 commented 2 months ago

@zilardcherry also, just to clarify, the empty status param is no longer necessary here https://ubuntu.com/security/cves?q=&package=apport&version=jammy&status=. I included a catch when we changed this so its inclusion doesn't lead to errors and that's what seems to be failing here, but https://ubuntu.com/security/cves?q=&package=apport&version=jammy is the intended usage moving forward when not also querying for a specific status. This will also be reflected in the u.com pages once the overhaul project is live

mtruj013 commented 2 months ago

Hi both @zilardcherry @dsever, this is fixed now. Thanks for reporting