Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

advisory discover: handle version streams correctly #405

Open
luhring opened this issue Sep 24, 2023 · 0 comments
Open

advisory discover: handle version streams correctly #405

luhring opened this issue Sep 24, 2023 · 0 comments
Labels
bug Something isn't working needs-triage applied to all new customer/user issues. Removed after triage occurs.

Comments

@luhring
Copy link
Member

luhring commented Sep 24, 2023

Today the wolfictl advisory discover command is looking up vulnerabilities for each package definition.

But since we have the concept of "version streams", we have have a group of multiple package definitions that refer to the same package, just different versions. In this case, we should not be issuing a request to NVD for each of these definitions (e.g. one search for go-1.19, one for go-1.20, etc.), both because the requests would be redundant, and because the version stream names are less likely to result in CPE matches (i.e. causing false negatives).

We should issue one request per "real software package" (i.e. the deduplication of a group of version streams), and then use version data for each version stream as we filter NVD's response data for relevant vulnerability matches.

@luhring luhring added bug Something isn't working needs-triage applied to all new customer/user issues. Removed after triage occurs. labels Sep 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs-triage applied to all new customer/user issues. Removed after triage occurs.
Projects
None yet
Development

No branches or pull requests

2 participants