Importers without a vulnerable package list

[Hritik14]

#436 deprecates the concept of fixed_package and now only the vulnerable packages are entered into the database. Many data sources do not provide with a list of vulnerable packages and only provide a fixed version.
Currently affected importers:

• suse_backports

Future affected importers:

• Mozilla
• Mattermost (For advisories before 2020-01-08)

We cannot simply ignore these data sources. One approach would be to flag all the versions before the provided fixed version as vulnerable and enter those in the database. The meaning of only a fixed version could further be clarified at the data source's end.
This needs to be further discussed.

[pombredanne]

#436 deprecates the concept of fixed_package and now only the vulnerable packages are entered into the database. Many data sources do not provide with a list of vulnerable packages and only provide a fixed version.

Are you sure this is deprecating this ?

[pombredanne]

@Hritik14 so yes indeed #436 did deprecate the concept of fixed_package and now only the vulnerable packages are entered into the database. And in hindsight this is a problem and we need to revisit this ASAP.

[pombredanne]

See #140 (comment)

[pombredanne]

As an example when I look at https://github.com/mozilla/foundation-security-advisories/blob/c5f33af98294e441311fa9ec904001b09934af73/announce/2021/mfsa2021-27.yml#L4 we have a fixed package. We should support these with no impacted packages alright too.
Eventually this means all previous versions and that's confirmed with the range of CPEs in https://nvd.nist.gov/vuln/detail/CVE-2021-29968#range-6743855