Closed adamjanovsky closed 1 year ago
Shouldn't it be that if certificate X references certificate Y and vuln. appears in Y, then X is possibly vulnerable as well?
This is what the transitive computation of vulnerabilitites should be. Are you saying it is implemented in reverse? :grin:
I just checked. It's implemented corretly, but somewhat conter-intuitively. There are two ways around it:
Our tool does the second thing, which confused me. I think that we can close this.
Currently, transtive vulnerabilities are reconstructed from
report_references
(orpolicy_processed_references
for FIPS), but only fromdirectly_referenced_by
andindirectly_referenced_by
.Shouldn't it be that if certificate X references certificate Y and vuln. appears in Y, then X is possibly vulnerable as well?
We should analyze and possibly fix that.