advisory discover: handle version streams correctly #405
Labels
bug
Something isn't working
needs-triage
applied to all new customer/user issues. Removed after triage occurs.
Comments
luhring
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Today the
wolfictl advisory discovercommand is looking up vulnerabilities for each package definition.But since we have the concept of "version streams", we have have a group of multiple package definitions that refer to the same package, just different versions. In this case, we should not be issuing a request to NVD for each of these definitions (e.g. one search for
go-1.19, one forgo-1.20, etc.), both because the requests would be redundant, and because the version stream names are less likely to result in CPE matches (i.e. causing false negatives).We should issue one request per "real software package" (i.e. the deduplication of a group of version streams), and then use version data for each version stream as we filter NVD's response data for relevant vulnerability matches.
The text was updated successfully, but these errors were encountered: