New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debian VulnSrc does not properly handle Status for CVEs where a fix version has been set but the fixed package has not been released #380

Open

mpoindexter opened this issue Feb 12, 2024 · 1 comment

Contributor

mpoindexter commented Feb 12, 2024

When the Debian metadata lists a fix version, the status is assumed to be "fixed", even if the package has not yet been released.

This is noticeable in CVE-2023-5981: https://security-tracker.debian.org/tracker/CVE-2023-5981 shows that the fix has not been released in "bullseye", but the Trivy DB shows fixed for this.

mpoindexter mentioned this issue

Fix issue 380 #381

Merged

wagde-orca commented Feb 19, 2024

if trivy relies on this feed https://security-tracker.debian.org/tracker/data/json... it won't havve these "fixed" issues...
this json feed has more accurate indications about the fixed versions.
I think trivy-db should use it instead of https://salsa.debian.org/security-tracker-team/security-tracker

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment