vulnerablecode Do not mix unrelated affected and fixed packages

In the UI and API, we should not mix unrelated affected and fixed packages. For instance for https://public.vulnerablecode.io/vulnerabilities/VCID-pst1-g1u7-aaan for CVE-2022-21704, the affected "pkg:npm/[email protected]" is surely not fixed by "pkg:deb/debian/[email protected]" ... these are related but completely different PURLs.

"pkg:npm/[email protected]" MUST be fixed by a "pkg:npm/log4js"
"pkg:deb/debian/[email protected]" must be fixing some "pkg:deb/debian/node-log4js"

For the UI, see:

https://github.com/nexB/vulnerablecode/issues/1287

Jul 16 '24 16:07 pombredanne

This has been implemented and fixed in the UI by @johnmhoran (Thanks!) Screenshot from 2024-10-15 15-14-01

We still need to do the work in the API: Screenshot from 2024-10-15 15-18-51

Oct 15 '24 13:10 pombredanne

Will fix this in V2 API.

Nov 26 '24 16:11 TG1999

The new API v2 has different semantics and is always by package therefore this does not apply there anymore. Closing now!

Jan 07 '25 14:01 pombredanne