vulnerablecode
vulnerablecode copied to clipboard
Odd behavior for certain vulnerability searches
I just noticed odd results from a vulnerability search that appear to be related to the number of aliases
for that vulnerability.
For example, if I search for cve
, my local DB returns 4,629 records. 1 record is VULCOID-1
, and the vulnerability search results table shows 351 Affected packages and 2 Fixed packages. If I search just for VULCOID-1
, the search results table shows that same data for that vulnerability.
Another record in the cve
search results is VULCOID-106
, which according to the table has 215 Affected packages and 10 Fixed packages. However, if I search just for VULCOID-106
, the search results table shows 430 Affected packages and 20 Fixed packages -- 2x the amount shown in the cve
search results table.
Digging around, I see that VULCOID-1
has 1 related alias
while VULCOID-106
has 2 related aliases
. Other samples produce similar results, suggesting the vulnerability search results code (the numbers in my new details page look OK) somehow multiplies the Affected package and Fixed package counts by the number of aliases
when the search is for a VULCOID
.
With thanks to @TG1999 for the solution, we seem to have resolved this issue by adding distinct=True
to both Count()
parentheticals:
@staticmethod
def request_to_vulnerabilities(request):
vuln_id = request.GET["vuln_id"]
return list(
models.Vulnerability.objects.filter(
Q(vulnerability_id=vuln_id) | Q(aliases__alias__icontains=vuln_id)
)
# this sorts by VULCOID
.order_by("vulnerability_id").annotate(
vulnerable_package_count=Count(
"packages", filter=Q(packagerelatedvulnerability__fix=False), distinct=True
),
patched_package_count=Count(
"packages", filter=Q(packagerelatedvulnerability__fix=True), distinct=True
),
)
)
This was addressed back on 8/10/22 and I should have closed it then.