Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-0353 - Inconsistent PURL #118

Open
mir-am opened this issue Mar 11, 2022 · 2 comments
Open

CVE-2020-0353 - Inconsistent PURL #118

mir-am opened this issue Mar 11, 2022 · 2 comments

Comments

@mir-am
Copy link
Contributor

mir-am commented Mar 11, 2022

For CVE-2020-0353, there are two different invalid PURLs:
1- The statement file on FS: pkg:deb/debian/linux@11.0
2- In Postgres, it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0.

By looking at the CVE on the NVD website, it is related to Google's Android.
https://nvd.nist.gov/vuln/detail/CVE-2020-0353
@mir-am mir-am changed the title CVE-2020-0353 - Invalid PURL mapping CVE-2020-0353 - Invalid PURL Mar 14, 2022
@mir-am mir-am changed the title CVE-2020-0353 - Invalid PURL CVE-2020-0353 - Inconsistent PURL Mar 14, 2022
@MagielBruntink
Copy link
Member

Yep, something in the way vulnerability-producer is doing purl inference is not accurate. We don't see the pkg:deb/debian/linux@11.0 purl on disk however, also there it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0. Still wrong, of course.

@MagielBruntink MagielBruntink mentioned this issue Mar 14, 2022
Open
@MagielBruntink
Copy link
Member

With "-i none" the incorrect mapping for this CVE disappears, I tested this locally.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MagielBruntink @mir-am