Detection regression for zlib 1.2.11, curl 7.63.0, openssl 1.1.0j, openssl 1.0.1i

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.

https://cve-bin-tool.readthedocs.io/en/latest/

GNU General Public License v3.0

1.25k stars 466 forks source link

Detection regression for zlib 1.2.11, curl 7.63.0, openssl 1.1.0j, openssl 1.0.1i #148

Closed terriko closed 5 years ago

terriko commented 5 years ago

We may have a detection regression since the latest release: the current git tip is getting 0 cves but the older version was finding zlib 1.2.11, curl 7.63.0, openssl 1.1.0j, openssl 1.0.1i:

I don't have access to the package they were working on that was triggering this, but we should do some testing against those versions to see if something changed.

terriko commented 5 years ago

Further testing from @pdxjohnny found that his tests actually do detect the appropriate files with some minor differences in the actual CVEs detected. I'll leave it up to him to close this issue if he thinks it's not needed any more.

terriko commented 5 years ago

Further investigation turned up some other issues in the environment where this bug occurred -- probably these specific packages aren't the relevant bit of information for the problem. I'm going to close this for now. @szollin if you manage to get any new insights into what was going wrong here, feel free to re-open this or open a new bug for tracking.