Skip to content

fix(alpine): use NVD CPE version ranges to populate Introduced field#5586

Open
katzj wants to merge 1 commit into
google:masterfrom
katzj:improve-alpine-matching-with-nvd-cpe
Open

fix(alpine): use NVD CPE version ranges to populate Introduced field#5586
katzj wants to merge 1 commit into
google:masterfrom
katzj:improve-alpine-matching-with-nvd-cpe

Conversation

@katzj

@katzj katzj commented Jun 30, 2026

Copy link
Copy Markdown

Follow the pattern used by the Alpine security tracker to use data from NVD to be able to give some information on Introduced versions for vulnerabilities. This includes the same rewriting rules used there.

This avoids over-reporting, for example CVE-2024-3094 should only show for xz 5.6.0 through 5.6.1-r2, not for earlier versions of xz

Fixes #5199

Follow the pattern used by the Alpine security tracker to use
data from NVD to be able to give some information on Introduced
versions for vulnerabilities. This includes the same rewriting
rules used there.

This avoids over-reporting, for example CVE-2024-3094 should only
show for xz 5.6.0 through 5.6.1-r2, not for earlier versions of xz
@jess-lowe

Copy link
Copy Markdown
Contributor

/gcbrun

@jess-lowe

Copy link
Copy Markdown
Contributor

Thanks for this! My two cents: This should be fine for most historical cases, but I am slightly concerned it may not work for future cases (due to NVD's recent decision to stop annotating CPEs to records unless explicitly asked). Still better than nothing though.

I'll run this locally and see if there are any unexpected consequences of this change.

@katzj

katzj commented Jul 2, 2026

Copy link
Copy Markdown
Author

Thanks for this! My two cents: This should be fine for most historical cases, but I am slightly concerned it may not work for future cases (due to NVD's recent decision to stop annotating CPEs to records unless explicitly asked). Still better than nothing though.

Yeah. I can keep an eye on what Alpine does upstream to be able to follow suit with OSV as it seems like they may struggle with the same. And it's part of what their tooling uses to know when to tell people to update

I'll run this locally and see if there are any unexpected consequences of this change.

Let me know if you see anything which needs improvements and happy to take a look

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Data quality issue with CVE-2024-3094

2 participants