wolfictl
wolfictl copied to clipboard
wolfi-dev
Inconsistent `wolfictl advisory list` return if CVE alias is used
Description
CVE GHSA-vrpq-qp53-qv56 and CVE-2025-4949 are the same CVE - see https://github.com/advisories/GHSA-vrpq-qp53-qv56 but when I run wolfictl advisory list I get different results depending on the CVE identifier I use
➜ wolfictl advisory list --advisories-repo-dir "/home/philroche/Working/advisories/" --package "gradle-8" --vuln "CVE-2025-4949" --output json | jq
[
{
"packageName": "gradle-8",
"id": "CGA-2h3q-7r7p-cmjc",
"aliases": [
"CVE-2025-4949",
"GHSA-vrpq-qp53-qv56"
],
"events": [
{
"timestamp": "2025-05-23T07:20:07Z",
"type": "detection",
"data": {
"type": "scan/v1",
"data": {
"SubpackageName": "gradle-8",
"ComponentID": "9ea55c9375ff6d99",
"ComponentName": "org.eclipse.jgit",
"ComponentVersion": "5.13.3.202401111512-r",
"ComponentType": "java-archive",
"ComponentLocation": "/usr/share/java/gradle/lib/plugins/org.eclipse.jgit-5.13.3.202401111512-r.jar",
"Scanner": "grype"
}
}
}
]
}
]
➜ git:(main) wolfictl advisory list --advisories-repo-dir "/home/philroche/Working/advisories/" --package "gradle-8" --vuln "GHSA-vrpq-qp53-qv56" --output json | jq
[
{
"packageName": "gradle-8",
"id": "CGA-2h3q-7r7p-cmjc",
"aliases": [
"CVE-2025-4949",
"GHSA-vrpq-qp53-qv56"
],
"events": [
{
"timestamp": "2025-05-27T20:15:11Z",
"type": "fixed",
"data": {
"fixedVersion": "8.14.1-r1"
}
}
]
}
]
Should this always return the fixed event as defined @ https://github.com/wolfi-dev/advisories/blob/de7ba85385188796b35cdcb4c4da90098a042236/gradle-8.advisories.yaml#L24
