Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2020-0353 - Inconsistent PURL #118

Open
mir-am opened this issue Mar 11, 2022 · 2 comments
Open

CVE-2020-0353 - Inconsistent PURL #118

mir-am opened this issue Mar 11, 2022 · 2 comments

Comments

@mir-am
Copy link
Contributor

mir-am commented Mar 11, 2022

For CVE-2020-0353, there are two different invalid PURLs:
1- The statement file on FS: pkg:deb/debian/linux@11.0
2- In Postgres, it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0.

By looking at the CVE on the NVD website, it is related to Google's Android.
https://nvd.nist.gov/vuln/detail/CVE-2020-0353
@mir-am mir-am changed the title CVE-2020-0353 - Invalid PURL mapping CVE-2020-0353 - Invalid PURL Mar 14, 2022
@mir-am mir-am changed the title CVE-2020-0353 - Invalid PURL CVE-2020-0353 - Inconsistent PURL Mar 14, 2022
@MagielBruntink
Copy link
Member

Yep, something in the way vulnerability-producer is doing purl inference is not accurate. We don't see the pkg:deb/debian/linux@11.0 purl on disk however, also there it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0. Still wrong, of course.

@MagielBruntink MagielBruntink mentioned this issue Mar 14, 2022
Open
@MagielBruntink
Copy link
Member

With "-i none" the incorrect mapping for this CVE disappears, I tested this locally.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MagielBruntink @mir-am