Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VCIO-next: Do not mix unrelated affected and fixed packages #1508

Closed
pombredanne opened this issue Jul 16, 2024 · 3 comments
Closed

VCIO-next: Do not mix unrelated affected and fixed packages #1508

pombredanne opened this issue Jul 16, 2024 · 3 comments
Assignees
@johnmhoran
Labels
3-next Priority: high
Milestone
v36.0.0 - 3-next

Comments

@pombredanne
Copy link
Member

pombredanne commented Jul 16, 2024
edited
Loading

In the UI and API, we should not mix unrelated affected and fixed packages.
For instance for https://public.vulnerablecode.io/vulnerabilities/VCID-pst1-g1u7-aaan for CVE-2022-21704, the affected "pkg:npm/log4js@0.1.0" is surely not fixed by "pkg:deb/debian/node-log4js@0.6.18-1" ... these are related but completely different PURLs.

  • "pkg:npm/log4js@0.1.0" MUST be fixed by a "pkg:npm/log4js"
  • "pkg:deb/debian/node-log4js@0.6.18-1" must be fixing some "pkg:deb/debian/node-log4js"

For the UI, see:
@johnmhoran johnmhoran mentioned this issue Jul 22, 2024
Closed
@johnmhoran johnmhoran self-assigned this Jul 23, 2024
@johnmhoran johnmhoran mentioned this issue Jul 30, 2024
Open
@pombredanne
Copy link
Member Author

This has been implemented and fixed in the UI by @johnmhoran (Thanks!)
Screenshot from 2024-10-15 15-14-01

We still need to do the work in the API:
Screenshot from 2024-10-15 15-18-51

@pombredanne pombredanne added 3-next and removed 9-next labels Oct 15, 2024
@pombredanne pombredanne added this to the v36.0.0 - 3-next milestone Oct 15, 2024
@TG1999
Copy link
Contributor

TG1999 commented Nov 26, 2024

Will fix this in V2 API.

@pombredanne pombredanne changed the title Do not mix unrelated affected and fixed packages VCIO-next: Do not mix unrelated affected and fixed packages Dec 23, 2024
@pombredanne
Copy link
Member Author

The new API v2 has different semantics and is always by package therefore this does not apply there anymore. Closing now!

@pombredanne pombredanne reopened this Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnmhoran johnmhoran

Labels
3-next Priority: high
Projects
04-VulnerableCode Data Quality and next
Status: Done
Milestone
v36.0.0 - 3-next
Development

No branches or pull requests
3 participants
@pombredanne @johnmhoran @TG1999