Closed tolim closed 3 years ago
As stated in my review of the pull request I can easily imagine many components together constructing the insecure situation the advisory tries to mitgate: An nginx server running in a docker container with a specific hypervisor on a specific operating system when ipv6 is active and the application server is a so-and-so in a such-and-such configuration ...
This was addressed in pull request #99
It is not conclusive to me why we allow multiple
full_product_names
inproduct_tree/relationships
. Onerelationship
element links two products and may produce one new product name and identifier infull_product_name
. In this context it does not make sense to allow multiplefull_product_names
.Btw, this is explicitly allowed by CVRF 1.2:
At the moment we do not require the property
full_product_name
withinproduct_tree/relationships
. This does not conform to CVRF 1.2, but I propose not to change this.