vulnerablecode
vulnerablecode copied to clipboard
nexB
Odd behavior for certain vulnerability searches
I just noticed odd results from a vulnerability search that appear to be related to the number of aliases for that vulnerability.
For example, if I search for cve, my local DB returns 4,629 records. 1 record is VULCOID-1, and the vulnerability search results table shows 351 Affected packages and 2 Fixed packages. If I search just for VULCOID-1, the search results table shows that same data for that vulnerability.
Another record in the cve search results is VULCOID-106, which according to the table has 215 Affected packages and 10 Fixed packages. However, if I search just for VULCOID-106, the search results table shows 430 Affected packages and 20 Fixed packages -- 2x the amount shown in the cve search results table.
Digging around, I see that VULCOID-1 has 1 related alias while VULCOID-106 has 2 related aliases. Other samples produce similar results, suggesting the vulnerability search results code (the numbers in my new details page look OK) somehow multiplies the Affected package and Fixed package counts by the number of aliases when the search is for a VULCOID.
With thanks to @TG1999 for the solution, we seem to have resolved this issue by adding distinct=True to both Count() parentheticals:
@staticmethod
def request_to_vulnerabilities(request):
vuln_id = request.GET["vuln_id"]
return list(
models.Vulnerability.objects.filter(
Q(vulnerability_id=vuln_id) | Q(aliases__alias__icontains=vuln_id)
)
# this sorts by VULCOID
.order_by("vulnerability_id").annotate(
vulnerable_package_count=Count(
"packages", filter=Q(packagerelatedvulnerability__fix=False), distinct=True
),
patched_package_count=Count(
"packages", filter=Q(packagerelatedvulnerability__fix=True), distinct=True
),
)
)