vulnerablecode
vulnerablecode copied to clipboard
nexB
A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase...
The change at https://github.com/nexB/vulnerablecode/commit/0fe73ef18b5e2af63251eadf9809a03d0a803907#diff-11856d929972b1aa71dcd476298a831d6b598b291c0638057af6d62050ba4a15R192 makes many importers crash.
For example, CVE-2023-38286 for `pkg:maven/de.codecentric/spring-boot-admin-server`: - [github advisories](https://github.com/advisories/GHSA-7gj7-224w-vpr3) say affected versions `
https://docs.docker.com/compose/migrate/ > From July 2023 Compose V1 stopped receiving updates. It’s also no longer available in new releases of Docker Desktop. All the documentation are using the old compose `docker-compose`...
Also, the default Docker image should be based on Python 3.12
issue: https://github.com/nexB/vulnerablecode/issues/1487 related pull request: https://github.com/nexB/vulnerablecode/pull/1518 The importer list that required an update: - [ ] nvd, - [ ] github - [ ] gitlab - [ ] npm -...
We can have a default duration for expiry or allow users to set their own expiry date, or both. Another idea is to have the key with dynamic expiry based...
While working on https://github.com/nexB/vulnerablecode/issues/1287, I noticed that when the results of a UI Package search query for a PURL with a qualifier include a PURL with a qualifier, the PURL...
In https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41741 we have this data: ``` FEDORA:FEDORA-2022-12721789aa URL:https://lists.fedoraproject.org/archives/list/[email protected]/message/WBORRVG7VVXYOAIAD64ZHES2U2VIUKFQ/ FEDORA:FEDORA-2022-97de53f202 URL:https://lists.fedoraproject.org/archives/list/[email protected]/message/FD6M3PVVKO35WLAA7GLDBS6TEQ26SM64/ FEDORA:FEDORA-2022-b0f5bc2175 URL:https://lists.fedoraproject.org/archives/list/[email protected]/message/BPRVYA4FS34VWB4FEFYNAD7Z2LFCJVEI/ ``` These `FEDORA:FEDORA-2022-12721789aa`-like ids seem to be for "Fedora updates" as for https://bodhi.fedoraproject.org/updates/FEDORA-2022-12721789aa and their announce email
We've had some brief discussions recently suggesting that I explore changes to the UI Vulnerability content and focus, which I understood to mean removing the Vulnerability-specific UI pages (e.g., details)...
In the UI and API, we should not mix unrelated affected and fixed packages. For instance for https://public.vulnerablecode.io/vulnerabilities/VCID-pst1-g1u7-aaan for CVE-2022-21704, the affected "pkg:npm/[email protected]" is surely not fixed by "pkg:deb/debian/[email protected]" ......