-
Notifications
You must be signed in to change notification settings - Fork 71
Assume a link to be a "patch link" only if tagged as Patch
by NVD
#44
Comments
Thanks that's good to know! Unfortunately, the dependency https://github.com/kotakanbe/go-cve-dictionary/ we use to fetch and incorporate the NVD data seems to be unaware of Particularly, looking at: https://github.com/kotakanbe/go-cve-dictionary/blob/master/models/models.go#L257
You can see that the column for One approach would be to provide a pull request to modify the data models and to store the |
@evonide Thanks for the research. For the PR solution to work, #41 should be get done with. A quick fix would be to modify If this works for you please assign me this ticket (and expect a PR soon :) ) . |
Sounds good I'll get back once I've looked into resolving #41. |
Hey Shivam, as promised I've updated |
Unrelated to this, but I was wondering why are their migrations for the |
Thanks and fully agreed Shivam! I'll look into how to best resolve this soon. |
Currently VulnCode-DB assumes every link which passes the regex
vulncode-db/cfg.py
Line 121 in e6c5008
vulncode-db/data/models/nvd.py
Line 301 in e6c5008
as a patch link. In most cases this is correct but there are cases when this fails to identify patch links correctly such as at
https://www.vulncode-db.com/CVE-2018-7749 the patch link is identified as ronf/asyncssh@c161e26 . But this link does not contain any example of "vulnerable code".
Such type of error(s) can be avoided if we add one more condition for a link to be considered as a patch, this condition would be to check whether NVD tags the reference/link as a
Patch
. ForCVE-2018-7749
NVD has rightly tagged it as aThird Party Advisory
NOTPatch
at https://nvd.nist.gov/vuln/detail/CVE-2018-7749 .If such errors don't occur at considerable frequency close this ticket.
The text was updated successfully, but these errors were encountered: