openssl - ubuntu package - versions not matched correctly

[kmoens]

Current Behavior:

We have a cycloneDX BOM file, as generated by syft for our Docker containers. These Docker containers contain the OpenSSL library.

This is contained in the BOM file as follows:

    <component type="library">
      <publisher>Ubuntu Developers &lt;[email protected]&gt;</publisher>
      <name>openssl</name>
      <version>1.1.1f-1ubuntu2.4</version>
      <cpe>cpe:2.3:a:openssl:openssl:1.1.1f-1ubuntu2.4:*:*:*:*:*:*:*</cpe>
      <purl>pkg:deb/ubuntu/[email protected]?arch=amd64</purl>
      <properties>
        <property name="foundBy">dpkgdb-cataloger</property>
        <property name="type">deb</property>
        <property name="metadataType">DpkgMetadata</property>
        <property name="path">/var/lib/dpkg/status</property>
        <property name="layerID">sha256:5a1aaa0fc304f17de4904b251554ad1d18d210122a495f40a726418f101018ec</property>
        <property name="path">/var/lib/dpkg/info/openssl.md5sums</property>
        <property name="layerID">sha256:d0af6cd0417d041e4be905c5344ff2d88c58294fd7e1eba1fc19d8dba795e1d3</property>
        <property name="path">/var/lib/dpkg/info/openssl.conffiles</property>
        <property name="layerID">sha256:d0af6cd0417d041e4be905c5344ff2d88c58294fd7e1eba1fc19d8dba795e1d3</property>
        <property name="path">/usr/share/doc/libssl1.1/copyright</property>
        <property name="layerID">sha256:d0af6cd0417d041e4be905c5344ff2d88c58294fd7e1eba1fc19d8dba795e1d3</property>
        <property name="installedSize">1257</property>
      </properties>
    </component>

When this BOM is uploaded, we get a number of vulnerabilities reported, including CVE-2019-1543. This CVE is stated on NVD as:
"Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).",

Similarly we found this info in the database as follows:

dtrack=# select "CPE23", "VERSION", "VERSIONENDEXCLUDING", "VERSIONENDINCLUDING", "VERSIONSTARTEXCLUDING", "VERSIONSTARTINCLUDING", "VULNERABLE" from "VULNERABLESOFTWARE" where "ID" in (select "VULNERABLESOFTWARE_ID" from "VULNERABLESOFTWARE_VULNERABILITIES" where "VULNERABILITY_ID" = 133548);
 cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | *       |                     | 1.1.0j              |                       | 1.1.0                 | t
 cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | *       |                     | 1.1.1b              |                       | 1.1.1                 | t

However, still dependency track reports that the OpenSSL 1.1.1f-1ubuntu2.4 is vulnerable against this CVE.
Judging from the info dependency track has, it should not mark this one as a vulnerability.

Steps to Reproduce:

• Upload a cycloneDX BOM, containing the fragment above towards dependency track.

OR:

• Use syft to generate a CycloneDX BOM of the Ubuntu Docker image and upload that one towards dependency track.

Expected Behavior:

• Dependency Track does not report this one as a vulnerability.

Environment:

• Dependency-Track Version: 4.3.6
• Distribution: Docker
• BOM Format & Version: XML & JSON v1.3
• Database Server: PostgreSQL
• Browser: Chrome

Additional Details:

After inspection of the code, I suspect that the ComponentVersion is the culprit here.

If it parses the version 1.1.1f it extracts [ '1', '1', '1f' ], while if we give it the version 1.1.1f-1ubuntu2.4 it will extract ['1', '1', '1', '1', 'ubuntu2', '10'] which is incorrect.

I have a dirty patch for parsing the ComponentVersion as follows, but I did not submit it as a merge request yet since I'm not sure if it handles all cases correctly:

    public final void parseVersion(String version) {
        // handle deb versions
        String theVersion = version.toLowerCase();

        final Pattern debrx = Pattern.compile("^([0-9]+:)?(.*)(-[^-]+ubuntu[^-]+)$");
        final Matcher debmatcher = debrx.matcher(theVersion);
        if (debmatcher.matches()) {
            theVersion = debmatcher.group(2);
        }

        versionParts = new ArrayList<>();
        if (version != null) {
            final Pattern rx = Pattern.compile("(\\d+[a-z]{1,3}$|[a-z]+\\d+|\\d+|(release|beta|alpha)$)");
            final Matcher matcher = rx.matcher(theVersion);
            while (matcher.find()) {
                versionParts.add(matcher.group());
            }
            if (versionParts.isEmpty()) {
                versionParts.add(version);
            }
        }
    }

[kmoens]

The complete fix, with unit test, is on my fork in a branch already:
https://github.com/kmoens/dependency-track/tree/bug/ubuntu-versions

I can create a merge request if wanted.

[stevespringett]

Thanks for the investigation work. Likely there will be many more cases, both debian and other distros, that will need to be accounted for over time. However, I think this is a good start.

I've incorporated your proposed change along with syncing with the upstream class it was originally derived from.

[mkozina-gk-software]

Hi,

I came to very similar issue related to SBom uploaded ubuntu docker image with openssl inside. Component details:

• openssl
• 1.1.1f-1ubuntu2.11
• pkg:deb/ubuntu/[email protected]?arch=amd64&distro=ubuntu-20.04
• cpe:2.3:a:openssl:openssl:1.1.1f-1ubuntu2.11:*:*:*:*:*:*:*

Dependency Track reports following vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2021-3711
In Dependency Track vulnerability description is:

Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

However Ubuntu has this issue already fixed: https://ubuntu.com/security/CVE-2021-3711

focal Released (1.1.1f-1ubuntu2.8)

It seems, that in Ubuntu LTS version pattern the vulnerability will be forever reported as existing (unless Ubuntu uses full new version of openssl higher than 1.1.1l). Or must be suppressed manually.

Is there any way, how to solve this systematically? Probably some feature for importing also some CVE/CPE lists for e.g. Ubuntu?

Thanks.

[stevespringett]

Theoretically, if DT supported Ubuntu Security Noticies (USN) directly, rather than relying on CPE, this would be solvable. Ubuntu provides an OVAL feed, which is designed to assess a system. However, the SBOM would already have the package information defined in it, so I think using their OVAL feed to evaluate Ubuntu packages should work.

https://security-metadata.canonical.com/oval/

RedHat also provides OVAL along with CSRF (possibly CSAF 2.0 in the future), so adding proper support for security advisories specific to Linux distros along with information about the vulnerable packages could work using only the coordinates and/or purl defined in the bom.

[mkozina-gk-software]

Hi @stevespringett,

thanks for comment. Your idea sounds well, I had something like this in mind. Maybe it is more standalone enhancement of feature rather than bug. Thanks for considering this.

[carlturnerfs]

Can we make this also work with Debian (as opposed to just Ubuntu) packages? For example, in the case of openssl above, you might have the version string 1.1.1n-0+deb11u3 to parse.

A very naive option might be to generalize the above regex to something like ^([0-9]+:)?(.*)(-[^-]+(ubuntu|deb)[^-]+)$, but there may be smarter options!

[muellerst-hg]

Good to find this issue, which also affects me. It's a show stopper for me auditing container images based on Debian and Alpine. Even correctly detected versions result in false positives, e.g. openssl 1.1.1n-0+deb11u3 has backported fixes for most CVEs which affect 1.1.1n, but dtrack lists them as unfixed vulnerabilities.

Maybe looking at how Grype solved this issue could help:

They integrate reports/sources from the most popular distro into their database: https://github.com/anchore/grype#grypes-database
There are particular version_constraints for each linux distribution/release. For any CVE id in their vulnerability table, they have corresponding entries for the distro/release and a flag if the issue is fixed

sqlite> .schema vulnerability
CREATE TABLE `vulnerability` (
`pk` integer,
`id` text,
`package_name` text,
`namespace` text,
`version_constraint` text,
`version_format` text,
`cpes` text DEFAULT null,
`related_vulnerabilities` text DEFAULT null,
`fixed_in_versions` text DEFAULT null,
`fix_state` text,
`advisories` text DEFAULT null,
PRIMARY KEY (`pk`)
);


sqlite> SELECT * FROM vulnerability WHERE id='CVE-2019-1543' AND namespace LIKE '%[ubuntu](ubuntu:19.04)%';
1503117|CVE-2019-1543|openssl|ubuntu:distro:ubuntu:19.04|< 1.1.1b-1ubuntu2.2|dpkg||[{"id":"CVE-2019-1543","namespace":"nvd:cpe"}]|["1.1.1b-1ubuntu2.2"]|fixed|

[muellerst-hg]

Ubuntu 22.04 with current ruby package (ruby 1:3.0~exp1) results in 32 open CVE. However, all those CVE have been fixed in 22.04.
The leading 1: in the version seems to confuse the version parser

[mulder999]

Can we make this also work with Debian (as opposed to just Ubuntu) packages? For example, in the case of openssl above, you might have the version string 1.1.1n-0+deb11u3 to parse.

A very naive option might be to generalize the above regex to something like ^([0-9]+:)?(.*)(-[^-]+(ubuntu|deb)[^-]+)$, but there may be smarter options!

Regarding Debian packages 1.1.1n-0+deb11u3 does not corresponds at all to upstream 1.1.1n, many additional patches have been applied as mentioned by @muellerst-hg.

No regexp can solve this. Unsure if there is any easy fix.
Some integration with debian security-tracker might be required...

[timosur]

This is unfortunatly still an issue for us. Any recommendations on how to handle it? We are currently marking those findings as false positives. But this task is very hard to do for all of those findings.

[calderonth]

I am also seeing the current regexp as missing lots of potential version matching.

An improved matching would be somethin along the lines of ^([0-9]+:)?([\d\.[a-z]+)(\+|\-)(\d$|git\w+|dfsg|\d(ubuntu|[+~](bpo|deb))).*$ which would better capture packages versions (but not match all options).

As for better correlation, I was hoping that using OSV for Debian/Ubuntu would surface more accurate results but I have yet to figure out if OSV works properly in DT for Debian purl components.

[Andre-85]

@calderonth : I filed a bug on OSV regarding fetching Ubuntu packages by purl (google/osv.dev#2842 , with also an example for a Debian purl and some others purl examples) which was fixed that week. So i can

 curl -d '{"package": {"purl": "pkg:deb/ubuntu/[email protected]~0.18.04.1"}}' https://api.osv.dev/v1/query

fetch the known CVE'S (CVE-2020-6097, CVE-2021-46671, CVE-2021-41054).
But i could not fetch these CVE's with a SBOM including this purl with DependencyTrack (see issue #4445).

Do you think using your enhanced version of your proposed regex (^([0-9]+:)?([\d.[a-z]+)(+|-)(\d$|git\w+|dfsg|\d(ubuntu|+~)).*$ , but I think this does not cover the ~0.18.04.1 portion) would solve this issue?
Sorry, i got quite limited Java skills but i could do a test with around ~1000 Debian/Ubuntu-Packages and for reference a test with around ~3000 npm Packages.
Since am an experienced Ubuntu/Developer, would meanwhile try to figure out which regex really matches all version numbers used by Ubuntu (since this should also cover all Debian versions)

[Andre-85]

Ok, I got already a script (based on python-apt) extracting all versions used by running Ubuntu distro:

#!/usr/bin/python3

import apt
import sys

cache = apt.Cache()

# Iterate through each package in the cache
for package in cache:
    print(package.name, file=sys.stderr)

    # Get all available versions of the package
    for version in package.versions:
        print(version.version)

In the attachment you will find the result for Ubuntu 22.04, with one version number per line for all packages. Based on that i try to find a regex matching them all.

ubuntu_versions.txt

[calderonth]

Nice thanks for looking into it. I am wonder if there's prior art in such version parsing in other projects/vulnerability scanners. I am a bit weary of regex for this as it might be brittle given there's a lot of leeway into how one can define package versions. It'd be nice not to reinvent the wheel and find something that's reliable with good unit test coverage maybe from other projects.

…

On Sat, 7 Dec 2024, 13:18 Andre-85, ***@***.***> wrote: Ok, I got already a script (based on python-apt) extracting all versions used by running Ubuntu distro: #!/usr/bin/python3 import apt import sys cache = apt.Cache() # Iterate through each package in the cache for package in cache: print(package.name, file=sys.stderr) # Get all available versions of the package for version in package.versions: print(version.version) In the attachment you will find the result for Ubuntu 22.04, with one version number per line for all packages. Based on that i try to find a regex matching them all. ubuntu_versions.txt <https://github.com/user-attachments/files/18048515/ubuntu_versions.txt> — Reply to this email directly, view it on GitHub <#1374 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAF3DVS3Q3JUJ7OEMZB33AT2ELYTPAVCNFSM6AAAAABRAJHXXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRVGEYTCMBQGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Andre-85]

Yes, you are right, reinventing the wheel does not make sense. Right now i got different implementations in mind which solve at least the version ordering problem already:

1. Google OSV
2. dpkg --compare-versions command. Link: https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/lib/dpkg/version.c?ref_type=heads#L66, https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/lib/dpkg/version.c?ref_type=heads#L81
3. man deb-version Link: https://man7.org/linux/man-pages/man7/deb-version.7.html

with both you can check if your version is in a version range. Tomorrow i will start looking how this is accomplished and what regexes can be deducted from these algoriths. Further i will look for other implementations, best with already a regex for version parsing in it.

[Andre-85]

I finally found a implementation with version ordering and regex:

1. Version ordering in perl bindings for dpkg: This is the same algorithm than in dpkg --compare-versions https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/scripts/Dpkg/Version.pm?ref_type=heads#L351, https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/scripts/Dpkg/Version.pm?ref_type=heads#L365
2. Coarse Spliting with regex in perl bindings for dpkg: Splits the Version number to epoch, version and revision. Sets the number before ':' to epoch if there else to 0, sets the string after epoch (or if not there to the beginning) to the '-' (or if not there to the send) as version and after '-' to revision if there else to 0. https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/scripts/Dpkg/Version.pm?ref_type=heads#L105
3. Further splitting of revision with regex in lintian (offical Debian package checker): https://salsa.debian.org/lintian/lintian/-/blob/master/lib/Lintian/Check/Fields/Version.pm?ref_type=heads

I think combining the regexes for 2. and 3. and compare them with the output of algorithm in 1. and test data from ubuntu_versions.txt should lead to a usable result.

I noticed that the regex used in lintian do not make any assumptions (except "ubuntu") about strings in the version number. I think this makes sense, because on a quick search in version numbers in ubuntu_versions.txt I found already 55 different strings (words_in_version_numbers.txt)

My plan would be:

1. develop a regex which splits (I think splitting at ':','.','-','+','~' should work, but i have to check) the version number in fields, perhaps skip epoch (Optional number before ':')
2. compare the fields one-by-one in the way the linux command sort -n does. Return result on difference. But I think this is already implemented, right?
3. if one version number is a prefix of the other, the longer version is later, except in the case the longer path starts with tilde (Tilde exception see man deb-version)

So overall this would be an algorithm for comparing versions like SEMVER (sematic version) but with more 'splitters' and the tilde exception

What to you think? Is this doable and does it fit in the current implementation?

[Andre-85]

After thinking a bit more about the algorithm i think i figured already out where the the problem with the openssl version 1.1.1f is.

If i understood right the compareTo function of the ComponentVersion class is used (Link:

dependency-track/src/main/java/org/dependencytrack/util/ComponentVersion.java

Line 248 in 69cd540

public int compareTo(ComponentVersion version) {

)
In this function each version part is first tried to convert to an integer. If the conversion was succesful an integer compare is done otherwise an string compare (I assume alphabetic ordering) is done.

I my last comment i wrote that the fields should be sorted in the way like sort -n does. This is true for the current algorithm in cases where the fields are either integers OR strings, but not combined integers and strings!

Simple string compare (this is what the algorithm and sort without -n (numeric sort option would do):

echo -e "1.100n.2\n1.2n.2" | sort 
1.100n.2
1.2n.2

Thats obviously wrong! Version 1.100n.2 is not older than 1.2n.2 We should do like sort -n does:

 echo -e "1.100n.2\n1.2n.2" | sort -n
1.2n.2
1.100n.2

That`s correct: Version 1.2n.2 is older than 1.100n.2

First idea which came to my mind was splitting the mixed (multiple integers and strings mixed ) fields further, so that they become a list of pure integer(s) and string(s) fields and let the algorithm run on that. What do you think?

[calderonth]

Hi there @Andre-85 ,

Thanks for looking into this.
It's quite possible that the combined integer and strings (multiple of a-z) is a legacy OpenSSL problem as most packages are likely to have moved towards semver. Also OpenSSL only has the letter as the trailing characters. So you could focus on that first?

Maybe the best way to deal with this is to compare digits first and if equal compare the converted hex value of the letters? (that would work for OpenSSL) but not sure it would necessarily apply to other packages (again not sure how broad an issue this is).

[Andre-85]

Hi @calderonth,
while doing research for the version parsing/comparison problem, i tried to form some theory about
it and i deducted from my theory the solution for the openssl version parsing problem (I will call it CURRENT+OPENSSL in the further text),
the ubuntu version parsing problem without the epoch (will call ECOSYSTEM:Ubuntu-epoch) and the semantic version parsing (will call SEMVER) problem (and perhaps some other more).
I could also categorize the current parsing algorithm of DependencyTrack (will call CURRENT) with it.

Looking a the formal definition of semantic version 2.0.0 on https://semver.org/), you can see that there are in fact three different types of separators which split the version string into fields:

1. Splitters which indicte that the following part is older than the prefix (will it call pre-splitter), see semver §11.3, the '-' splitter.
   General: <version><pre-splitter><extra> < <version>, Example: 1.0.0-release-candidate1 is older than 1.0.0
2. Splitters which indicate that the following part makes it later than the prefix (will call post-splitter), see semver §11.4.4, the '.' splitter
   General: <version><post-splitter><extra> > <version>, Example: 1.0.1 is later than 1.0
3. Splitters which indicate that the following part needs to be ignored (will it call ignore-splitter), see semver §10, the '+' splitter
   General: <version><ignore-splitter><extra> = <version>, Example: 1.0+build1 is the same 1.0

Thinking further about what the splitters are in different versioning schemes, i thought about my comment i did about spliting mixed integer+string fields further. I realized that there are not
only single character splitters like '-','.', etc, but also special splitters like switching from a digit to a non-digit (will call it later 1->A). In your case this would be switching from '1' to 'k'.
Also the other way around, i.e. switching from a non-digit to a digit (will call it A->1) defines a splitter. The 1->A and the A->1 ensures that the algorithm is compatible to semver §11.4.1 and §11.4.2.

So it total this leads to following summary:

Splitter-type	CURRENT	CURRENT+OPENSSL	SEMVER	ECOSYSTEM:Ubuntu-epoch
pre			'-'	'~'
post	'.'	'.',1->A	'.'	'.','+','-',1->A,A->1
ignore			'+'

based on this i will come up with an enhanced version parsing (for CURRENT+OPENSSL and ECOSYSTEM:Ubuntu-epoch) algorithm next days. Stay tuned!

[Andre-85]

I made progress. The implementation in ComponentVersion right now defines what characters are allowed in the version fields, while my theory about splitters is about which characters are now allowed in the fields. But for doing the Bugfix for the openssl version number we just need to apply the extra post-splitter 1->A (extra from CURRENT to CURRENT+OPENSSL) to every field definition.

The current code in https://github.com/DependencyTrack/dependency-track/blob/master/src/main/java/org/dependencytrack/util/ComponentVersion.java#L92 is:

final Pattern rx = Pattern.compile("(\\d+[a-z]{1,3}$|[a-z]{1,3}[_-]?\\d+|\\d+|(rc|release|snapshot|beta|alpha)$)",

So when i am splitting all or-ed fields with 1->A, i.e. when it changes from digit to non-digit and i remove the doublicated field definitions (here \d+) this results in:

final Pattern rx = Pattern.compile("([a-z]{1,3}$|[a-z]{1,3}[_-]?\\d+|\\d+|(rc|release|snapshot|beta|alpha)$)",

**This should fix your problem! ** I did not test it by my own, so it would be nice if you can test.

But by only splitting the whole version string without looking what type of splitter was in front of the field and always prefering longer version strings only post-splitters can be implemented. I will do a new algorithm in the following days which includes SEMVER and ECOSYSTEM:Ubuntu and will post as soon i got something ready.

Greetings and happy testing,
André

[nscuro]

IMO it would be best to not rely on a single regex to cover all cases. Versioning is simply too wild-west for that to work reliably.

Instead we should perform ecosystem-specific version comparison if possible (#2826). Here's an implementation of the Debian version comparison, which also works for Ubuntu: https://github.com/nscuro/versatile/blob/main/versatile-core/src/main/java/io/github/nscuro/versatile/version/DebianVersion.java

If a VulnerableSoftware record has a purl, we can match that with the appropriate comparison algorithm.

[stmllr]

Looks like at least Debian provides real data which serves to identify fixed/unfixed CVE for packages:
https://security-tracker.debian.org/tracker/data/json

This could make pattern matching much easier and less brittle.

Here's a snippet a for openssl package:

"openssl": {
  "CVE-2022-4450": {
    "description":"The function...",
    "scope":"local",
    "releases": {
      "bullseye": {
        "status":"resolved",
        "repositories": {
          "bookworm": "1.1.1w-0+deb11u1",
          "bookworm-security": "1.1.1w-0+deb11u2"
        },
        "fixed_version":"1.1.1n-0+deb11u4",
        "urgency":"not yet assigned"
      }
    }
  }
}

[Andre-85]

IMO it would be best to not rely on a single regex to cover all cases. Versioning is simply too wild-west for that to work reliably.

Instead we should perform ecosystem-specific version comparison if possible (#2826). Here's an implementation of the Debian version comparison, which also works for Ubuntu: https://github.com/nscuro/versatile/blob/main/versatile-core/src/main/java/io/github/nscuro/versatile/version/DebianVersion.java

If a VulnerableSoftware record has a purl, we can match that with the appropriate comparison algorithm.

@nscuro : Wow, you already did a lot! I was not aware that a sophisticated java library for version comparing exists and for some reason I did not discover issue #2826.
I think we got three options at this point:

1. Use nscuro/versatile as a library or merge it. Since I am a C++-Developer without experience on a big Java project i can only little help implementing, but I can test. On the first look i would say nscuro/versatile definitly solves more problems than it will create ;) . If I understood right this is the option you are planning to do? (refering Move to DependencyTrack GitHub organization nscuro/versatile#142)
2. Fix in current implementation for openssl only. The change will be small, but since it is in the path for the version compare of all ecosystems a multitude of test runs would be needed. All test runs will be void, if in near future option 1 is implemented. Since nscuro/versatile should have a lot of testing already (I assume), this is a lot of work for little improvement for a short amount of time.
3. Go further with my general implementation. This should work for semantic and debian versioning and would be more powerful than the current implementation. Problem is that I don't know right now if my general approach is valid for other ecosystems then one's using sematic versioning and debian versioning. So I think your concerns about a single regex are very valid. Also ComponentVersion needs to be made ecosystem specific, perhaps with defaulting to semantic version if the ecosystem can not be determined (thinking about CPE identifiers). Very intense testing would be needed.

I would be ok with all three options (but option 2 less than option 1 and option 3), which one you prefer? Or something else?

[Andre-85]

Looks like at least Debian provides real data which serves to identify fixed/unfixed CVE for packages: https://security-tracker.debian.org/tracker/data/json

This could make pattern matching much easier and less brittle.

Here's a snippet a for openssl package:

"openssl": {
  "CVE-2022-4450": {
    "description":"The function...",
    "scope":"local",
    "releases": {
      "bullseye": {
        "status":"resolved",
        "repositories": {
          "bookworm": "1.1.1w-0+deb11u1",
          "bookworm-security": "1.1.1w-0+deb11u2"
        },
        "fixed_version":"1.1.1n-0+deb11u4",
        "urgency":"not yet assigned"
      }
    }
  }
}

@stmllr : You got still the problem with version comparing here. As far as I know most JSON-fied CVEs hold only a range of version (for brevitiy i think), which the CVE is present but not all versions one-by-one which are affected. In the example given by you versions later then "1.1.1n-0+deb11u4" (content of "fixed_version") do not have the CVE-2022-4450, but older ones got. Now imagine that you installed Debian bookworm on a machine which can for what-ever reason not pull automatically updates from the internet (e.g. a embedded device, a IoT device, ...). The installation you did a while ago and in this point of time the latest version of openssl in bookworm was 1.1.1k-0+deb11u1 (don't know if this version really exists). After the installation is done you pull the SBOM from the device (e.g. with apt-sbom). Today DependencyTrack/ pulls that CVE-JSON snipped. Now the decission need to be made: Is 1.1.1k-0+deb11u1 older or newer than 1.1.1n-0+deb11u4? Is CVE-2022-4450 contained or not? And this is why we need version compare in any case...