bug: zlib with known vulnerabilities is showing in "products with no identified vulnerabilities " section #3169
Comments
|
So first, this sounds like a bug. Something that has vulnerabilities shouldn't appear in that section. I'm guessing we might have introduced something when we updated what's supposed to go in the blank reports? But anyhow, I'm going to tag this as a bug that needs investigation and fixing. More generally: the "Products with no identified vulnerabilities" section is intended to give people a more complete picture of what was scanned. Otherwise when you get a scan that says no vulnerabilities were found it would be hard to distinguish between a few possibilities:
So the idea is to tell people exactly what components were found (even if they had no CVEs!) so you can make sure that it's case 1, and if it's one of the other cases it will hopefully give you enough information to fix the scan or file a bug. I'm not sure if the right fix for your zlib issue is "make sure things with CVEs don't appear in that section" or "change the name of the section to indicate that it's showing a complete list of what's scanned" (a full list works just as well for those cases above as a list with the vulnerable components removed) but we should figure that out. |
terriko
changed the title
|
The issue is raised because zlib has two CPE IDs in NVD NIST database:
Currently, cve-bin-tool will return Perhaps the name of the section could be changed or a note could be added to better explain those corner cases. An other option would be to better handle products with multiple CPE IDs (e.g. zlib but also acpid, apcupsd, asterisk, etc.) inside cve-bin-tool but this is not easy. |
Currently, cve-bin-tool will return gnu:zlib in "Products with No Identified Vulnerabilities" if zlib is found but not affected by CVE-2016-9842 (i.e. zlib >= 1.2.9) because NVD NIST database contains two CPE IDs for zlib (gnu:zlib and zlib:zlib) With this update, product with multiple vendors will not be displayed under above section if a CVE is found with one of the vendor. Fix intel#3169 Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Currently, cve-bin-tool will return gnu:zlib in "Products with No Identified Vulnerabilities" if zlib is found but not affected by CVE-2016-9842 (i.e. zlib >= 1.2.9) because NVD NIST database contains two CPE IDs for zlib (gnu:zlib and zlib:zlib) With this update, product with multiple vendors will not be displayed under above section if a CVE is found with one of the vendor. Fix intel#3169 Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Currently, cve-bin-tool will return gnu:zlib in "Products with No Identified Vulnerabilities" if zlib is found but not affected by CVE-2016-9842 (i.e. zlib >= 1.2.9) because NVD NIST database contains two CPE IDs for zlib (gnu:zlib and zlib:zlib) With this update, product with multiple vendors will not be displayed under above section if a CVE is found with one of the vendor. Fix intel#3169 Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Currently, cve-bin-tool will return gnu:zlib in "Products with No Identified Vulnerabilities" if zlib is found but not affected by CVE-2016-9842 (i.e. zlib >= 1.2.9) because NVD NIST database contains two CPE IDs for zlib (gnu:zlib and zlib:zlib) With this update, product with multiple vendors will not be displayed under above section if a CVE is found with one of the vendor. Fix #3169 Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
When I used this tool to test curl-i386 from https://github.com/moparisthebest/static-curl/releases/tag/v8.1.2, in the console report, I could see that there were some CVEs in Zlib with version 1.2.12.
But when looked into "Products with No Identified Vulnerabilities", Zlib with version 1.2.12 was there. So I am confused, what's the purpose of "Products with No Identified Vulnerabilities" part? Why Zlib with CVEs was listed there?
The text was updated successfully, but these errors were encountered: