-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential Data Discrepancy in CVE Listings #4860
Comments
Hi @leoambrus, I reviewed a sample of 25 of the advisories listed in https://github.com/leoambrus/artefactswithoutCVEonGitHubAdvisoryDatabase/blob/main/README.md to see what might have happened. The very short answer is that only one advisory can have a CVE ID attached to it, and sometimes more than one advisory discusses the same CVE. What I found is:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While conducting a deeper analysis of your repository to compare it with the NVD (National Vulnerability Database) in terms of usability and available information, with the goal of making life easier for security researchers, I discovered 2,249 artifacts that lacked CVE names. Upon focusing on these, I found that 99 of them were indeed listed in the NVD, which made it odd that the CVE identifiers were not explicitly present in the JSON files. I then examined the references and noticed that these artifacts contained links to the NVD, where their respective CVEs were listed.
I wanted to bring this potential discrepancy to your attention, as these artifacts do have associated CVEs, which are documented in the attached file along with their corresponding NVD links. This might indicate a possible issue in the database that could benefit from further review.
Here are the names of the files along with the names of the CVE's mentioned in them and their links to the nvd which is where I got the CVE's from:
https://github.com/leoambrus/artefactswithoutCVEonGitHubAdvisoryDatabase/blob/main/README.md
The text was updated successfully, but these errors were encountered: