fosstars-rating-core icon indicating copy to clipboard operation
fosstars-rating-core copied to clipboard

Published 20 hours ago verified publisher icon SAP

Determine if a Vulnerability is Patched or not

Open sourabhsparkala opened this issue 3 years ago • 2 comments

We get a list of Vulnerability for a project. We use NVD to get information on Vulnerabilities.

While gathering the information, it is observed that we get

  • versionEndExcluding
  • versionEndIncluding

Which holds end version information.

Is it possible to use this information to determine if

  • A project has an artifact version that lies above the given range? which will determine if the vulnerability is UNPATCHED : PATCHED

DOD:

  • Check if the above POC can be implemented.
  • Discuss with the team the findings and decide on the best possible step.
  • If agreed, then implement the same as part of the rating core.

sourabhsparkala avatar Jun 04 '21 13:06 sourabhsparkala

I am not sure what exactly you'd like to check. OWASP Dependency Check reports unpatched vulnerabilities for an artifact, so you can just set resolution to unpatched in the data provider that runs OWASP Dependency Check for an artifact.

artem-smotrakov avatar Jun 04 '21 13:06 artem-smotrakov

I am not sure what exactly you'd like to check. OWASP Dependency Check reports unpatched vulnerabilities for an artifact, so you can just set resolution to unpatched in the data provider that runs OWASP Dependency Check for an artifact.

https://github.com/SAP/fosstars-rating-core/pull/534#discussion_r646311240

sourabhsparkala avatar Jun 07 '21 07:06 sourabhsparkala