search

fasten-project / vulnerability-producer

Gathers, enriches and publishes vulnerability information to a Kafka topic.
https://www.fasten-project.eu/
Apache License 2.0
6 stars 3 forks source link

CVE-2019-2124 - Incorrect PURL mapping #119

Open mir-am opened 2 years ago

mir-am commented 2 years ago

CVE-2019-2124 affects Google Android but the PURL pkg:maven/org.bouncycastle/bcprov-jdk15on@10.0 is marked as vulnerable. This is an invalid mapping. There are currently quite a number of these issues in Postgres.

MagielBruntink commented 2 years ago

Yep, I am seeing the same wrong mappings produced by vulnerability-producer.

MagielBruntink commented 2 years ago

I think that the PURL inference strategies are the problem here, also in #118 Try running the vulnerability-producer with the -i none flag to turn those off.

mir-am commented 2 years ago

I think that the PURL inference strategies are the problem here, also in #118 Try running the vulnerability-producer with the -i none flag to turn those off.

Yes, this is related to the devised heuristics for PURL inference. By turning off the flag -i, I think the tool won't infer PURLs. I am currently investigating what we can possibly do to mitigate these false positives.