Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some fixed-by version data is incorrect and needs to be investigated #1290

Open
johnmhoran opened this issue Aug 31, 2023 · 4 comments
Open

Some fixed-by version data is incorrect and needs to be investigated #1290

johnmhoran opened this issue Aug 31, 2023 · 4 comments
Assignees
@pombredanne @johnmhoran @TG1999 @keshav-space
Labels
9-next Data collection data-quality ui

Comments

@johnmhoran
Copy link
Member

While @pombredanne and I were reviewing the VCIO UI, it became clear that some of the data displayed in the Fixed by packages tab of the Vulnerability details page -- and thus the data in the DB -- is incorrect. The example was a query for VCID-2nyb-8rwu-aaag. The last 2 entries in the resulting Fixed by packages tab are

pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2
pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2.1

It seems counterintuitive that both of these versions would have been fixed rather than just one of them, and indeed an examination of the NVD Change History section for the CVE (https://nvd.nist.gov/vuln/detail/CVE-2020-36518#VulnChangeHistorySection) reflects that the vulnerability was fixed in 2.13.2.1 but not in 2.13.2.

image
@johnmhoran
Copy link
Member Author

See also this related data-quality issue I opened recently: Some UI package queries return duplicate copies of the same Package URL.

@johnmhoran johnmhoran moved this from Needs Review to Reviewed in VulnerableCode Data Quality and next Jun 20, 2024
@DennisClark
Copy link
Member

It still may be useful to consider converting CPE values to PURLs. Needs some analysis to specify how that can be done in a consistent manner acceptable to the community.

@DennisClark
Copy link
Member

We need to:

  • Map CPEs to PURLs (when not too complex).
  • Parse CPE version ranges to vers.
  • Handle updates to the CPE configuration in a CVE.

@DennisClark
Copy link
Member

a useful reference here (thanks @keshav-space ):
https://github.com/scanoss/purl2cpe

@johnmhoran johnmhoran moved this from Reviewed to Assigned in VulnerableCode Data Quality and next Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pombredanne pombredanne

@johnmhoran johnmhoran

@TG1999 TG1999

@keshav-space keshav-space

Labels
9-next Data collection data-quality ui
Projects
04-VulnerableCode Data Quality and next
Status: No status
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pombredanne @DennisClark @johnmhoran @TG1999 @keshav-space