nexB
Check if OLD nodejs advisories are still relevant was:[Find a way to ingest advisories without aliases]
In this advisory no alias is attached https://github.com/nodejs/security-wg/blob/main/vuln/npm/104.json, we should store a made-up alias for these advisories.
- we should be able to create things without alias. Or use some made up alias if need be? Only if we could use this consistently which based on the data below is unlikely
Separate advisories could be merged in the future using other thing that just an alias. This would be a great improver project.
- This is a bit more involved on the data side as this looks also to be the same as:
- https://nvd.nist.gov/vuln/detail/CVE-2016-10534
- https://github.com/electron/electron-packager/issues/333
- https://osv.dev/vulnerability/GHSA-q43m-ffwr-rpcc
These are more reasons to merge with other keys than an alias considering descriptions, references and more beyond aliases.
@pombredanne in the current situation when we don't have any aliases, and everytime improver runs it creates different VCIDs for same vulnerability ( we use aliases for merging as of now and in absence of alias there is no way with current code for us to know if 2 vulnerabilities are same or not ). I think we should check for similarity in references for the case when there is no alias in advisory.
IMO we should never create a VCID, if we have exact same references for another VCID.
In the specific case listed in the description, this is no longer an issue ... https://public.vulnerablecode.io/packages/pkg:npm/[email protected]?search=packager is now provided by other sources, and the old nodejs advisories are likely obsolete. If they are we should simply drop the importer.
- https://github.com/nodejs/security-wg/tree/main/vuln/npm is only about npms and seems unmaintained and we could write a script to check we have them all through other sources
- https://github.com/nodejs/security-wg/tree/main/vuln/core is maintained and is strictly about nodejs... we likely should create a new PURL type for thos
