Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-2124 - Incorrect PURL mapping #119

Open
mir-am opened this issue Mar 14, 2022 · 3 comments
Open

CVE-2019-2124 - Incorrect PURL mapping #119

mir-am opened this issue Mar 14, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@mir-am
Copy link
Contributor

mir-am commented Mar 14, 2022

CVE-2019-2124 affects Google Android but the PURL pkg:maven/org.bouncycastle/[email protected] is marked as vulnerable. This is an invalid mapping. There are currently quite a number of these issues in Postgres.
@mir-am mir-am added the bug Something isn't working label Mar 14, 2022
@MagielBruntink
Copy link
Member

Yep, I am seeing the same wrong mappings produced by vulnerability-producer.

@MagielBruntink
Copy link
Member

I think that the PURL inference strategies are the problem here, also in #118
Try running the vulnerability-producer with the -i none flag to turn those off.

@mir-am
Copy link
Contributor Author

mir-am commented Mar 14, 2022

I think that the PURL inference strategies are the problem here, also in #118 Try running the vulnerability-producer with the -i none flag to turn those off.

Yes, this is related to the devised heuristics for PURL inference.
By turning off the flag -i, I think the tool won't infer PURLs.
I am currently investigating what we can possibly do to mitigate these false positives.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MagielBruntink @mir-am