Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Affected versions incorrectly migrated from V4 #52

Open
jspisiak-istrosec opened this issue May 20, 2024 · 0 comments
Open

Affected versions incorrectly migrated from V4 #52

jspisiak-istrosec opened this issue May 20, 2024 · 0 comments

Comments

@jspisiak-istrosec
Copy link

Problem a

Around one thousand affected products have a version specifier where version == lessThanOrEqual. This might be because of transformation from v4 schema. This situation in v5 schema however causes incomplete versioning information, since according to lessThanOrEqual documentation the matched version should be between closed interval [version, lessThanOrEqual], which when version == lessThanOrEqual covers only a single version. Usually descriptions of the CVE also specifies that earlier versions than version were affected, thus I believe this migration to be incorrect.

Some examples:

Problem b

Some affected products have a version where version == lessThan + "*". This might be caused by v4 data containing version_affected == ">=". I am not sure what the correct transformation should be, but currently it produces strange result where the lessThan specifier might have a value for example 1.3.0*.

Some examples:

Thank you for your input
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jspisiak-istrosec