What if different advisories report different version range for the same vulnerability?

Open sify21 opened this issue 2 years ago • 1 comments

For example, CVE-2023-38286 for pkg:maven/de.codecentric/spring-boot-admin-server:

github advisories say affected versions <3.1.2 and patched in 3.1.2
NVD CPE say Up to (including)3.1.0
gitlab advisories agree with NVD and suggest Upgrade to version 3.1.1 or above.

The commit that fixes this is actually included in version 3.1.2.

Currently in vulnerablecode, GitLabAPIImporter and GitHubAPIImporter reports differenct version range accordingly, and DefaultImprover decides that this is fixed in version 3.1.1

Maybe for vulnerablecode, it should use the largest range for affected versions? That is, it should use "affected_version_range": "vers:maven/<3.1.2" collected by GitHubAPIImporter, rather than "affected_version_range": "vers:maven/<=3.1.0" collected by GitLabAPIImporter.

Sep 12 '23 11:09 sify21

We are trying to address this in #1393

Aug 07 '24 11:08 pombredanne