fix(alpine): use NVD CPE version ranges to populate Introduced field#5586
fix(alpine): use NVD CPE version ranges to populate Introduced field#5586katzj wants to merge 1 commit into
Conversation
Follow the pattern used by the Alpine security tracker to use data from NVD to be able to give some information on Introduced versions for vulnerabilities. This includes the same rewriting rules used there. This avoids over-reporting, for example CVE-2024-3094 should only show for xz 5.6.0 through 5.6.1-r2, not for earlier versions of xz
|
/gcbrun |
|
Thanks for this! My two cents: This should be fine for most historical cases, but I am slightly concerned it may not work for future cases (due to NVD's recent decision to stop annotating CPEs to records unless explicitly asked). Still better than nothing though. I'll run this locally and see if there are any unexpected consequences of this change. |
Yeah. I can keep an eye on what Alpine does upstream to be able to follow suit with OSV as it seems like they may struggle with the same. And it's part of what their tooling uses to know when to tell people to update
Let me know if you see anything which needs improvements and happy to take a look |
Follow the pattern used by the Alpine security tracker to use data from NVD to be able to give some information on Introduced versions for vulnerabilities. This includes the same rewriting rules used there.
This avoids over-reporting, for example CVE-2024-3094 should only show for xz 5.6.0 through 5.6.1-r2, not for earlier versions of xz
Fixes #5199