search

nexB / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
511 stars 188 forks source link

One vulnerability affecting different packages. #1193

Open Hritik14 opened 1 year ago

Hritik14 commented 1 year ago

A vulnerability is identified in one application and an advisory is generated that corresponds to the application and the vulnerability. Different versions of the package might be vulnerable to the same vulnerability and might be provided by different upstreams (say debian, ubuntu, pypi etc) but the source code of the package remains more or less the same.

If some package depends on a vulnerable package, then marking the parent package as vulnerable is not the accepted approach and data sources mentioning them are considered to be Crying Wolf. It is not the job of VulnerableCode to establish the parent-child relationship between packages (perhaps better done via scancode).

VulnerableCode database is hosting affected packages with different names under one vulnerability. Eg: https://public.vulnerablecode.io/vulnerabilities/VCID-kz2t-1jdd-aaaf?search=CVE-2018-3258 Affected packages are 449 and scrolling down shows lots of different packages.

This looks like a problem caused via the redhat importer. Related: https://github.com/nexB/vulnerablecode/issues/1084

DennisClark commented 1 month ago

this is being addressed in #1084