Closed zilardcherry closed 2 months ago
I can confirm the same
curl 'https://ubuntu.com/security/cves.json?package=vim&version=focal'
limit":20,"offset":0,"total_results":178}
curl 'https://ubuntu.com/security/cves.json?
package=vim&version=focal&status=released&cve_status=active&show_hidden=false
"limit":20,"offset":0,"total_results":5947}
if I remove status
then have back again 178
Can someone take a look it is still broken:
curl "https://ubuntu.com/security/cves.json?package=vim&status=released&version=bionic"
Results: 8956
Hi CVE Team, any progress in fixing this issue?
Hi @zilardcherry @dsever , we're working on this now and should have a fix up soon. Please continue to follow this issue for the latest
@zilardcherry also, just to clarify, the empty status param is no longer necessary here https://ubuntu.com/security/cves?q=&package=apport&version=jammy&status=. I included a catch when we changed this so its inclusion doesn't lead to errors and that's what seems to be failing here, but https://ubuntu.com/security/cves?q=&package=apport&version=jammy is the intended usage moving forward when not also querying for a specific status. This will also be reflected in the u.com pages once the overhaul project is live
Hi both @zilardcherry @dsever, this is fixed now. Thanks for reporting
Summary
CVE web page and REST API does not yield correct results when "status=" is present in the link
Using the Fields and Drop-down lists from the web page will form a HTTP query link that will contain "status=" and when the Search button is pushed then it will return back incorrect results, i.e. all kinds of CVEs are listed from various packages
Process
Current and expected result
1.) Copy-paste these links into your browser (without "status="), it will generate 23 results (looks correct) https://ubuntu.com/security/cves?q=&package=apport&version=jammy https://ubuntu.com/security/cves?package=apport&version=jammy https://ubuntu.com/security/cves?q=&package=apport&priority=&version=jammy
2.) Now Copy-paste this link into your browser (WITH "status="), it will generate 21436 results (bad result, all kinds of CVEs listed from various packages) https://ubuntu.com/security/cves?q=&package=apport&version=jammy&status=
3.) Curling the REST API , without "status=" will end up in correct result curl -s -X GET -H "Content-Type: application/json" "https://ubuntu.com/security/cves.json?package=apport&version=jammy" "total_results":23
4.) Curling the REST API , WITH "status=" will end up in BAD result curl -s -X GET -H "Content-Type: application/json" "https://ubuntu.com/security/cves.json?package=apport&version=jammy&status=" "total_results":21436
Browser details
I used chrome for testing this