No way to obtain a list of affected packages from an ingested advisory

trustification / trustify

Apache License 2.0

10 stars 19 forks source link

No way to obtain a list of affected packages from an ingested advisory #761

Closed jcrossley3 closed 1 month ago

jcrossley3 commented 2 months ago

This may have worked in the past, but it seems the purls field is always blank for the advisories returned from /api/v1/vulnerability/{id}.

According to @bobmcwhirter

Yeah, if we eat a CVE record (as vuln and advisory), then any purls mentioned therein should appear until the advisory portion for the CVE.
Then eat a relevant CSAF, and it'll have a sub-tree for RHT's packages examined
all w/o sboms
if we don't see that, then definitely a bug 
because that was the intent

jcrossley3 commented 2 months ago

Fixing this will require the "divination" of affected packages from myriad advisory sources and formats. I assumed the logic was fairly complete but I was wrong especially about CVE records. See #763

jcrossley3 commented 1 month ago

We're also not seeing any affected items in the sboms field -- always seems to be empty.

jcrossley3 commented 1 month ago

With #825 merged, I think we can close this now. It's too vague, anyway. Future issues should reference specific advisory source docs.