Open AMDmi3 opened 7 years ago
Maybe you can get inspiration how to implement this from https://github.com/flyingcircusio/vulnix#theory-of-operation?
It has nothing to do with inspiration, there's just a pile of technical problems. Apart from just parsing nvd, we
For the record, I've spotted an incorrect CVE information which leads to false positive. Here's a CVE which makes latest OpenVPN version look vulnerable, while in fact it refers to OpenVPN Access Server and should have CPE cpe:2.3:a:openvpn:openvpn_access_server:*:*:*:*:*:*:*:*
instead of cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*
.
I've mailed to nvd@nist.gov and hope it'll get fixed soon - in fact I expect more corrections to follow as people spot them, and it's important to establish communication to NVD allowing to fix them quickly and make NVD itself more useful and reliable.
Update: it was fixed, but I've got no reply. Other similar problems will be listed in repology/repology-rules#367
Mark vulnerable package versions
The plan:
cpe_name
(is useless without vendor)cpe_vendor
/cpe_product