-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alpine: possibly wrong information is indexed #915
Comments
@armijnhemel Thank you ++ |
Just verified, it is wrong in their secdb |
@pombredanne @armijnhemel if we check this reference https://cve.report/qid/501765 they also have stated |
But it is the wrong version. This version of Ninja2 never existed. The Alpine maintainer made a typo in the package version, as can be clearly seen in the packaging information. Why not fix it? |
@armijnhemel makes sense! |
I am wondering how many other errors there are in the Alpine security database. What I could imagine is that you would check the Alpine recipes to see if a certain version exists or ever existed. I could even imagine also checking the upstream sources to see if a package version actually has ever existed. |
#917 is a generalization of this bug |
As I mentioned in #801 there is an issue with the way Alpine packages are indexed.
The following example illustrates this:
https://git.alpinelinux.org/aports/tree/main/py3-jinja2/APKBUILD?id=8531e658bb1a196c87ac3e8abf0bb18022266aa5
This
APKBUILD
file says the version of the package is2.11.3-r0
. But at line 18 there is a different version number:It looks like someone made a typo in the version number and it is this number that VulnerableCode seems to be using (as demonstrated in #801 ).
The solution is to do a little clean up and cross correlate this information with the Alpine package information.
The text was updated successfully, but these errors were encountered: