osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

WordPress and debian ecosystem

Open clementmoulin opened this issue 2 months ago • 5 comments

Describe the bug If you try to query API about wordpress vulnerabilities, version is misunderstood for Debian ecosystem, resulting in a full dump of all WP vulnerabilities (version is ignored).

To Reproduce API query:

    ["package"]=>
    array(2) {
      ["ecosystem"]=>
      string(6) "Debian"
      ["name"]=>
      string(9) "wordpress"
    }
    ["version"]=>
    string(5) "6.8.2"

Expected behaviour Should returns only vulnerabilities for WordPress >= 6.8.2.

Screenshots N/A

Additional context N/A

clementmoulin avatar Oct 06 '25 16:10 clementmoulin

Hi, Running this query, I get 22 results, while there are over 400 vulns in Debian/wordpress in OSV.

Some of these are matching because it was not fixed in some version of Debian. e.g. DEBIAN-CVE-2024-6307 is fixed in Debian:13 (trixie) and Debian:14 (forky), but not Debian:12 (bookworm). Since your query does not specify which version of Debian to check, it matches them all. If you know what version of Debian you are checking, you can include it in the ecosystem e.g. as "Debian:13"

The remaining all seem to be deemed vulnerable according to the Debian security tracker (e.g. DEBIAN-CVE-2025-58674, DEBIAN-CVE-2022-3590). Some of these older ones, e.g. DEBIAN-CVE-2011-4899 are flagged as 'unimportant' in the ecosystem_specific field, which matches what security tracker says

michaelkedar avatar Oct 06 '25 23:10 michaelkedar

Hi

Actually the problem is when querying without any ecosystem : it used to works, but since recently, we got all debian reports...

I wish we can find WP vulns from a specific ecosystem, but I could not find anyone, so we need to check most of them...

Thanks

clementmoulin avatar Oct 07 '25 09:10 clementmoulin

Hi @clementmoulin, just thought I'd follow up and clarify: are you looking for vulnerabilities within Wordpress itself or vulnerabilities in the Wordpress ecosystem i.e. plugins?

We've recently decoupled all of our Debian and Alpine records away from the main CVE record, which might be why you are now only seeing Debian reports.

jess-lowe avatar Oct 31 '25 02:10 jess-lowe

Hi, we are looking for WordPress vulnerabilities itsef :)

clementmoulin avatar Oct 31 '25 08:10 clementmoulin

We currently don't have any native wordpress vulnerabilities because wordpress doesn't publish them in the OSV format.

So currently only wordpress vulnerabilties are published through distro maintainers for their specific releases.

We do not officially support queries without an ecosystem, partially because it could cause confusions like so. Though we are definitely interested in supporting the wordpress ecosystem if we can get wordpress to officially publish OSV formatted vulnerabilities.

another-rex avatar Nov 03 '25 04:11 another-rex