vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Some fixed-by version data is incorrect and needs to be investigated

Open johnmhoran opened this issue 2 years ago • 4 comments

While @pombredanne and I were reviewing the VCIO UI, it became clear that some of the data displayed in the Fixed by packages tab of the Vulnerability details page -- and thus the data in the DB -- is incorrect. The example was a query for VCID-2nyb-8rwu-aaag. The last 2 entries in the resulting Fixed by packages tab are

pkg:maven/com.fasterxml.jackson.core/[email protected]
pkg:maven/com.fasterxml.jackson.core/[email protected]

It seems counterintuitive that both of these versions would have been fixed rather than just one of them, and indeed an examination of the NVD Change History section for the CVE (https://nvd.nist.gov/vuln/detail/CVE-2020-36518#VulnChangeHistorySection) reflects that the vulnerability was fixed in 2.13.2.1 but not in 2.13.2.

image

johnmhoran avatar Aug 31 '23 22:08 johnmhoran

See also this related data-quality issue I opened recently: Some UI package queries return duplicate copies of the same Package URL.

johnmhoran avatar Aug 31 '23 22:08 johnmhoran

It still may be useful to consider converting CPE values to PURLs. Needs some analysis to specify how that can be done in a consistent manner acceptable to the community.

DennisClark avatar Jul 02 '24 15:07 DennisClark

We need to:

  • Map CPEs to PURLs (when not too complex).
  • Parse CPE version ranges to vers.
  • Handle updates to the CPE configuration in a CVE.

DennisClark avatar Jul 02 '24 15:07 DennisClark

a useful reference here (thanks @keshav-space ):
https://github.com/scanoss/purl2cpe

DennisClark avatar Jul 02 '24 16:07 DennisClark