vulnerablecode
vulnerablecode copied to clipboard
Published
20 hours ago •
nexB
nexB
Also collect secondary, package-level GitHub advisories [was: References to GHSA lack a severity]
References to GHSA URLs like https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp list no scores, although at least a severity value (in this case "Low") should be possible to list even if no scoring system may be known.
@sschuberth Are you sure? In https://public.vulnerablecode.io/vulnerabilities/VCID-e1bu-4uh4-aaac?search=GHSA-269g-pwp5-87pp I see this data:
Severity (9)
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | MODERATE | https://github.com/advisories/GHSA-269g-pwp5-87pp |
Did you see your issue elsewhere?
Note that we are reorganizing the way we deal with CVSS scores in a branch ATM
Here's the full response I'm getting from the https://public.vulnerablecode.io/api/docs/#/packages/packages_bulk_search_create endpoint when passing "pkg:maven/junit/[email protected]":
[
{
"url": "http://public.vulnerablecode.io/api/packages/168702",
"purl": "pkg:maven/junit/[email protected]",
"type": "maven",
"namespace": "junit",
"name": "junit",
"version": "4.12",
"qualifiers": {},
"subpath": "",
"affected_by_vulnerabilities": [
{
"url": "http://public.vulnerablecode.io/api/vulnerabilities/1265",
"vulnerability_id": "VCID-e1bu-4uh4-aaac",
"summary": "",
"references": [
{
"reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15250.json",
"reference_id": "",
"scores": [
{
"value": "4.0",
"scoring_system": "cvssv3"
},
{
"value": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"scoring_system": "cvssv3_vector"
}
],
"url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15250.json"
},
{
"reference_url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md",
"reference_id": "",
"scores": [],
"url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md"
},
{
"reference_url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae",
"reference_id": "",
"scores": [],
"url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae"
},
{
"reference_url": "https://github.com/junit-team/junit4/issues/1676",
"reference_id": "",
"scores": [],
"url": "https://github.com/junit-team/junit4/issues/1676"
},
{
"reference_url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp",
"reference_id": "",
"scores": [],
"url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp"
},
{
"reference_url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html",
"reference_id": "",
"scores": [],
"url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html"
},
{
"reference_url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html",
"reference_id": "",
"scores": [],
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html"
},
{
"reference_url": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"reference_id": "",
"scores": [],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887810",
"reference_id": "1887810",
"scores": [
{
"value": "low",
"scoring_system": "rhbs"
}
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887810"
},
{
"reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972231",
"reference_id": "972231",
"scores": [],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972231"
},
{
"reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*",
"reference_id": "cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*",
"scores": [],
"url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*"
},
{
"reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:junit:junit4:*:*:*:*:*:*:*:*",
"reference_id": "cpe:2.3:a:junit:junit4:*:*:*:*:*:*:*:*",
"scores": [],
"url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:junit:junit4:*:*:*:*:*:*:*:*"
},
{
"reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
"reference_id": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
"scores": [],
"url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*"
},
{
"reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"reference_id": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"scores": [],
"url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
},
{
"reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250",
"reference_id": "CVE-2020-15250",
"scores": [
{
"value": "1.9",
"scoring_system": "cvssv2"
},
{
"value": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"scoring_system": "cvssv2_vector"
},
{
"value": "5.5",
"scoring_system": "cvssv3"
},
{
"value": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"scoring_system": "cvssv3_vector"
}
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250"
},
{
"reference_url": "https://github.com/advisories/GHSA-269g-pwp5-87pp",
"reference_id": "GHSA-269g-pwp5-87pp",
"scores": [
{
"value": "MODERATE",
"scoring_system": "cvssv3.1_qr"
}
],
"url": "https://github.com/advisories/GHSA-269g-pwp5-87pp"
},
{
"reference_url": "https://access.redhat.com/errata/RHSA-2022:5532",
"reference_id": "RHSA-2022:5532",
"scores": [
{
"value": "Important",
"scoring_system": "rhas"
}
],
"url": "https://access.redhat.com/errata/RHSA-2022:5532"
}
],
"fixed_packages": [
{
"url": "http://public.vulnerablecode.io/api/packages/99502",
"purl": "pkg:maven/junit/[email protected]",
"is_vulnerable": false
}
]
}
],
"fixing_vulnerabilities": [],
"unresolved_vulnerabilities": [
{
"url": "http://public.vulnerablecode.io/api/vulnerabilities/1265",
"vulnerability_id": "VCID-e1bu-4uh4-aaac",
"summary": "",
"references": [
{
"reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15250.json",
"reference_id": "",
"scores": [
{
"value": "4.0",
"scoring_system": "cvssv3"
},
{
"value": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"scoring_system": "cvssv3_vector"
}
],
"url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15250.json"
},
{
"reference_url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md",
"reference_id": "",
"scores": [],
"url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md"
},
{
"reference_url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae",
"reference_id": "",
"scores": [],
"url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae"
},
{
"reference_url": "https://github.com/junit-team/junit4/issues/1676",
"reference_id": "",
"scores": [],
"url": "https://github.com/junit-team/junit4/issues/1676"
},
{
"reference_url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp",
"reference_id": "",
"scores": [],
"url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp"
},
{
"reference_url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html",
"reference_id": "",
"scores": [],
"url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html"
},
{
"reference_url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E"
},
{
"reference_url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E",
"reference_id": "",
"scores": [],
"url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E"
},
{
"reference_url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html",
"reference_id": "",
"scores": [],
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html"
},
{
"reference_url": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"reference_id": "",
"scores": [],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887810",
"reference_id": "1887810",
"scores": [
{
"value": "low",
"scoring_system": "rhbs"
}
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887810"
},
{
"reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972231",
"reference_id": "972231",
"scores": [],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972231"
},
{
"reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*",
"reference_id": "cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*",
"scores": [],
"url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*"
},
{
"reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:junit:junit4:*:*:*:*:*:*:*:*",
"reference_id": "cpe:2.3:a:junit:junit4:*:*:*:*:*:*:*:*",
"scores": [],
"url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:junit:junit4:*:*:*:*:*:*:*:*"
},
{
"reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
"reference_id": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
"scores": [],
"url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*"
},
{
"reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"reference_id": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"scores": [],
"url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
},
{
"reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250",
"reference_id": "CVE-2020-15250",
"scores": [
{
"value": "1.9",
"scoring_system": "cvssv2"
},
{
"value": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"scoring_system": "cvssv2_vector"
},
{
"value": "5.5",
"scoring_system": "cvssv3"
},
{
"value": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"scoring_system": "cvssv3_vector"
}
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250"
},
{
"reference_url": "https://github.com/advisories/GHSA-269g-pwp5-87pp",
"reference_id": "GHSA-269g-pwp5-87pp",
"scores": [
{
"value": "MODERATE",
"scoring_system": "cvssv3.1_qr"
}
],
"url": "https://github.com/advisories/GHSA-269g-pwp5-87pp"
},
{
"reference_url": "https://access.redhat.com/errata/RHSA-2022:5532",
"reference_id": "RHSA-2022:5532",
"scores": [
{
"value": "Important",
"scoring_system": "rhas"
}
],
"url": "https://access.redhat.com/errata/RHSA-2022:5532"
}
],
"fixed_packages": [
{
"url": "http://public.vulnerablecode.io/api/packages/99502",
"purl": "pkg:maven/junit/[email protected]",
"is_vulnerable": false
}
]
}
]
}
]
So interestingly for https://github.com/advisories/GHSA-269g-pwp5-87pp there's a score, but for https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp there's not. Maybe only "top-level" advisories get a score attached?
Or rather, maybe no score is attached if the scoring system is unknown? But still, having something like "Low" could be useful.
So let me unpack what we have here:
- https://github.com/advisories/GHSA-269g-pwp5-87pp has a moderate score
- https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp has a low score
We collected https://github.com/advisories/GHSA-269g-pwp5-87pp and go the score But we did not collect https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp and instead just got it as a reference.
The resolution would be also collect GH advisories published at the package level as they are eventually different like: both the score and version ranges are different (though these would likely need to be reconciled and merged)