Some references without any tag from NVD is not processed properly

[iridium-soda]

See https://nvd.nist.gov/vuln/detail/CVE-2016-4001 and the following raw response:

{
  "resultsPerPage": 1,
  "startIndex": 0,
  "totalResults": 1,
  "format": "NVD_CVE",
  "version": "2.0",
  "timestamp": "2024-09-20T07:55:46.833",
  "vulnerabilities": [
    {
      "cve": {
        "id": "CVE-2016-4001",
        "sourceIdentifier": "secalert@redhat.com",
        "published": "2016-05-23T19:59:05.917",
        "lastModified": "2023-02-13T04:50:08.460",
        "vulnStatus": "Modified",
        "cveTags": [],
        "descriptions": [
          {
            "lang": "en",
            "value": "Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet."
          },
          {
            "lang": "es",
            "value": "Desbordamiento de buffer en la función stellaris_enet_receive en hw/net/stellaris_enet.c en QEMU, cuando el controlador ethernet Stellaris está configurado para aceptar paquetes grandes, permite a atacantes remotos provocar una denegación de servicio (caída de QEMU) a través de un paquete grande."
          }
        ],
        "metrics": {
          "cvssMetricV31": [
            {
              "source": "nvd@nist.gov",
              "type": "Primary",
              "cvssData": {
                "version": "3.1",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
                "attackVector": "NETWORK",
                "attackComplexity": "LOW",
                "privilegesRequired": "NONE",
                "userInteraction": "NONE",
                "scope": "CHANGED",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 4.0
            }
          ],
          "cvssMetricV2": [
            {
              "source": "nvd@nist.gov",
              "type": "Primary",
              "cvssData": {
                "version": "2.0",
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
                "accessVector": "NETWORK",
                "accessComplexity": "MEDIUM",
                "authentication": "NONE",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "availabilityImpact": "PARTIAL",
                "baseScore": 4.3
              },
              "baseSeverity": "MEDIUM",
              "exploitabilityScore": 8.6,
              "impactScore": 2.9,
              "acInsufInfo": false,
              "obtainAllPrivilege": false,
              "obtainUserPrivilege": false,
              "obtainOtherPrivilege": false,
              "userInteractionRequired": false
            }
          ]
        },
        "weaknesses": [
          {
            "source": "nvd@nist.gov",
            "type": "Primary",
            "description": [
              {
                "lang": "en",
                "value": "CWE-120"
              }
            ]
          }
        ],
        "configurations": [
          {
            "nodes": [
              {
                "operator": "OR",
                "negate": false,
                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*",
                    "versionEndIncluding": "2.5.1.1",
                    "matchCriteriaId": "1E0091D0-CCD9-4017-A266-32576814AE63"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:qemu:qemu:2.6.0:rc0:*:*:*:*:*:*",
                    "matchCriteriaId": "544B3E62-7AE7-4925-9E50-CAFDAD5A3851"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:a:qemu:qemu:2.6.0:rc1:*:*:*:*:*:*",
                    "matchCriteriaId": "B8C11472-2B2A-4110-A04B-5CFBA0763432"
                  }
                ]
              }
            ]
          },
          {
            "nodes": [
              {
                "operator": "OR",
                "negate": false,
                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
                    "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
                    "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
                    "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B"
                  }
                ]
              }
            ]
          },
          {
            "nodes": [
              {
                "operator": "OR",
                "negate": false,
                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
                    "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B"
                  },
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*",
                    "matchCriteriaId": "C729D5D1-ED95-443A-9F53-5D7C2FD9B80C"
                  }
                ]
              }
            ]
          },
          {
            "nodes": [
              {
                "operator": "OR",
                "negate": false,
                "cpeMatch": [
                  {
                    "vulnerable": true,
                    "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"
                  }
                ]
              }
            ]
          }
        ],
        "references": [
          {
            "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=3a15cc0e1ee7168db0782133d2607a6bfa422d66",
            "source": "secalert@redhat.com"
          },
          {
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183275.html",
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ]
          },
          {
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183350.html",
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ]
          },
          {
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184209.html",
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ]
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2016/04/11/4",
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ]
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2016/04/12/6",
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ]
          },
          {
            "url": "http://www.securityfocus.com/bid/85976",
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory",
              "VDB Entry"
            ]
          },
          {
            "url": "http://www.ubuntu.com/usn/USN-2974-1",
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ]
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html",
            "source": "secalert@redhat.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ]
          },
          {
            "url": "https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01334.html",
            "source": "secalert@redhat.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ]
          },
          {
            "url": "https://security.gentoo.org/glsa/201609-01",
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ]
          }
        ]
      }
    }
  ]
}

But we cannot save QEMU git which may cause troubles for #6.

[iridium-soda]

可能是QEMU的URL有很多不一样的。目前得到了两种：

• git.qemu-project.org
• git.qemu.org

[iridium-soda]

验证得到这两种的commit hash都指向qemu/qemu.

[iridium-soda]

fixed at https://github.com/iridium-soda/VulnCodeCollector/commit/21500937b28f8d614c1ce547fe238663707f4b78