Open cg122 opened 2 years ago
The trouble with this one is that GHSA lists a non-existing Maven coordinate: com.fasterxml.jackson:jackson-databind
: https://github.com/advisories/GHSA-5r5r-6hpj-8gg9
The proper coordinate is com.fasterxml.jackson.core:jackson-databind
, which we list. However, on our end the versions are not correctly limited to the vulnerable range, and also the first_patched_purl we have is using the bad coordinate from GHSA: pkg:maven/com.fasterxml.jackson/jackson-databind@2.9.10.8
The story is complicated, but it seems that things are working as intended for the most part.
Because GHSA names an incorrect Maven coordinate, we fall back to previous known purl mapping of the CPE cpe:2.3:a:fasterxml:jackson-databind
, which is correctly pkg:maven/com.fasterxml.jackson.core/jackson-databind
.
At that stage however, the version range of GHSA is also not used anymore to identify the vulnerable versions. Instead, the code checks here for all versions of the Maven package: https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/
which is then compared to the patch date to infer which versions are vulnerable. The patch date is correctly found to be 2020-12-26 as can be seen here: https://github.com/FasterXML/jackson-databind/issues/2999
. All version before are assumed vulnerable, which is plausible IMO.
Checking back at Maven https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/ results in the list of versions listed above by @cg122, so that is working as intended.
I wonder why the version range is set differently in both the NVD and the GHSA data. Perhaps it's related to responsible disclosure?
There is one bug here, and that is the first_patched_purl
in our data points to the wrong Maven coordinate pkg:maven/com.fasterxml.jackson/jackson-databind@2.9.10.8
because it has yanked that from the GHSA data without further validation.
As described in NVD:
The current mapping includes later versions: