CVE-2020-0353 - Inconsistent PURL

fasten-project / vulnerability-producer

Gathers, enriches and publishes vulnerability information to a Kafka topic.

https://www.fasten-project.eu/

Apache License 2.0

6 stars 3 forks source link

CVE-2020-0353 - Inconsistent PURL #118

Open mir-am opened 2 years ago

mir-am commented 2 years ago

For CVE-2020-0353, there are two different invalid PURLs: 1- The statement file on FS: pkg:deb/debian/linux@11.0 2- In Postgres, it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0.

By looking at the CVE on the NVD website, it is related to Google's Android. https://nvd.nist.gov/vuln/detail/CVE-2020-0353

MagielBruntink commented 2 years ago

Yep, something in the way vulnerability-producer is doing purl inference is not accurate. We don't see the pkg:deb/debian/linux@11.0 purl on disk however, also there it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0. Still wrong, of course.

MagielBruntink commented 2 years ago

With "-i none" the incorrect mapping for this CVE disappears, I tested this locally.