You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a CPE search results in a match against a CPE that has target SW specified, then check the package type and/or language against the value to see if it has any known incompatibilities (e.g. python package language matching against a vulnerability with a CPE that has a target SW of nodejs is probably wrong, so the match should be filtered out).
It cannot be assumed that target SW is specified; if not specified this filtering should be skipped.
Also, there are some odd permutations that may indeed be valid, for example, a java package wrapping a javascript package. It may be entirely valid for the vulnerability to have a CPE for nodejs even if the package is a java type. This needs to be explored more --is this contrived? or is this case prevalent?
The text was updated successfully, but these errors were encountered:
Another thing which might potentially be useful (and should probably be configurable on individual ecosystem matcher level) could be if we find an NVD match and that CVE has a GHSA for another ecosystem (and the eocsystem we're matching for is supported by GitHub) we filter it out. Hopefully that makes sense but if not I can try and explain it better.
If a CPE search results in a match against a CPE that has target SW specified, then check the package type and/or language against the value to see if it has any known incompatibilities (e.g. python package language matching against a vulnerability with a CPE that has a target SW of
nodejs
is probably wrong, so the match should be filtered out).It cannot be assumed that target SW is specified; if not specified this filtering should be skipped.
Also, there are some odd permutations that may indeed be valid, for example, a java package wrapping a javascript package. It may be entirely valid for the vulnerability to have a CPE for
nodejs
even if the package is ajava
type. This needs to be explored more --is this contrived? or is this case prevalent?The text was updated successfully, but these errors were encountered: