nvd-cve-osv: OpenSSL versions do not normalize correctly

google / osv.dev

Open source vulnerability DB and triage service.

https://osv.dev

Apache License 2.0

1.5k stars 186 forks source link

nvd-cve-osv: OpenSSL versions do not normalize correctly #2220

Open andrewpollock opened 4 months ago

andrewpollock commented 4 months ago

OpenSSL's versions aren't being normalized very well, by the Go code or the Python code (unsurprising, given they're supposed to behave the same):

OpenSSL_1_1_1w winds up getting normalized to 1-1-1 and when there's OpenSSL_1_1_1a to OpenSSL_1_1_1w (as well as OpenSSL_1_1_1) they're all overwriting each other during normalization and the last one wins.

Originally posted by @andrewpollock in https://github.com/google/osv.dev/issues/1984#issuecomment-2063036937

github-actions[bot] commented 2 months ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks