Debsecan functionality questions

[hannesfostie]

EDIT: Changing this issue to be more generic about questions about debsecan's inner workings.

• [ ] Is binary_package being used?
• [ ] Should we check for vulnerabilities using the version only, or also check all of the versions in the other_versions array?

---

The original debsecan tool for debian CVE listing works with an attribute "binary_package", as well as an array of source_packages per binary_package.

However as far as I can tell this is not used in any way. There are no vulnerabilities where binary_package is true, so I removed the functionality before even committing it.

Here's my first attempt at the code:

# in the #parse_vulnerabilities method (Vulnerability.new)
truct.new({
          package: package,
          identifier: matching_cve.identifier,
          description: matching_cve.description,
          unstable_version: unstable_version,
          other_versions: other_versions.split(' '),
          binary_package: flags[0] == 'B',
          urgency: urgency_from_flag(flags[1]),
          remotely_exploitable: remotely_exploitable_from_flag(flags[2]),
          fix_available: flags[3] == 'F',
          binary_packages: binary_packages[package]
        })

# In the VulnerabilityParser class
    def binary_packages
      @packages ||= parse_binary_packages
    end

    def parse_binary_packages
      vulnerability_data.split(/\n\n/)[2].split(/\n/).each_with_object(Hash.new([])) do |package_string, packages|
        package_name, source_packages_string = package_string.split(',', 2)
        packages[package_name] = source_packages_string.split(' ')
      end
    end

[hannesfostie]

@vncntvandriessche feel free to take a look at these questions. It'll be easier for you to check these I'm sure.