Closed knqyf263 closed 1 year ago
Thanks for the report! We'll take a look shortly.
You are right @knqyf263 it is a bug, it also bit me I didn't open an issue and forgot to fix it. Thanks for reporting it!
I opened https://github.com/openvex/go-vex/pull/30 which adds a new vex.EffectiveStatement
function to properly get the latest impact statement. It will deprecate StatementFromID as we need to specify a product to know the effective status,
StatementFromID function always returns the first statement. However, the data inheritance specification allows for multiple statements with the same vulnerability ID to be registered, as follows.
I'm aware that SortStatements is provided and
VEX.Stetements
is a pubic field, so we can implement it on our end, but IMHOStatementFromID
should take responsibility of that. Or it should provide an option to sort statements by timestamp.