wang-fut
commented
10 months ago Maybe SW360 should update existed cve on the SW360 side anyway and check if the relation between release and vulnerability is still active
Open wang-fut opened 10 months ago
wang-fut
commented
10 months ago Maybe SW360 should update existed cve on the SW360 side anyway and check if the relation between release and vulnerability is still active
Description
Let's say I had a component on sw360 with a cpeid "cpe:2.3:a:apache:portable_runtime:1.6.3:::::::" since 2021-11 I fetched the cves from my cve-search instance, at the monent CVE-2021-35940 got linked to my componet because the cve had a configuration with cpeid "cpe:2.3:a:apache:portable_runtime::::::::" Then at 2021/12 the CVE-2021-35940 information had updated from the cpeid "cpe:2.3:a:apache:portable_runtime::::::::" to a new one "cpe:2.3:a:apache:portable_runtime:1.7.0:::::::" My component on sw360 is not affected by the CVE-2021-35940 but the information my sw360 never got updated.
Screenshots
Vulnerability on cve-search is fine
Vulnerability on sw360 stop updated
Vulnerability changelog
Versions