osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Discrepancies found with Debian CVE(s)

Open iam-naveen opened this issue 2 months ago • 2 comments

Data Used from: https://osv-vulnerabilities.storage.googleapis.com/Debian/all.zip Source used to compare against: https://security-tracker.debian.org/tracker

Case 1

CVE Entries marked as "NOT-FOR-US" included in the ZIP.

Example: DEBIAN-CVE-2025-0649 https://security-tracker.debian.org/tracker/CVE-2025-0649 https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-0649.json

Case 2

CVE Entries marked as Rejected by both Debian and NVD included in the ZIP.

Example: DEBIAN-CVE-2023-52979

  • Sources
    • https://security-tracker.debian.org/tracker/CVE-2023-52979 (Empty Page)
    • https://salsa.debian.org/security-tracker-team/security-tracker/-/raw/master/data/CVE/list (Specifically marked as Rejected)
  • OSV
    • https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2023-52979.json (No Indicating values to show Rejected status)

Case 3

Few CVE entries have wrong Debian versions marked as affected in the ZIP.

Example: DEBIAN-CVE-2025-52566 We can see that only the unstable release is mentioned at the source (Debian Security Tracker). https://security-tracker.debian.org/tracker/CVE-2025-52566 But Debian:14 is mentioned here, https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-52566.json

iam-naveen avatar Oct 14 '25 12:10 iam-naveen

While we are on the topic of Debian CVE discrepancies: https://osv.dev/vulnerability/DSA-5902-1 doesn't have the correct upstream of debian-cve set.

another-rex avatar Oct 14 '25 23:10 another-rex

Hey, thanks for finding all these!

Doing some triage: For 1 & 2: if i delete the respective records from the bucket they don't seem to get regenerated on next run. We likely fixed the generation issue of these a few weeks back, but we haven't implemented proper deletion logic for if this sort of thing changes. (notes to self:) Bandaid solution: delete everything and do a complete re-ingestion of Debian records. Proper solution: add deletion logic in the upload "worker", that checks for differences between filenames and deletes the ones in the bucket if they haven't been generated.

For 3: we seem to be mapping unstable incorrectly. I'll look into this separately.

jess-lowe avatar Oct 27 '25 00:10 jess-lowe