CVE-2020-0353 - Inconsistent PURL

Question

CVE-2020-0353 - Inconsistent PURL

Opened this issue 3 years ago · 2 comments

For CVE-2020-0353, there are two different invalid PURLs:
1- The statement file on FS: pkg:deb/debian/linux@11.0
2- In Postgres, it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0.

By looking at the CVE on the NVD website, it is related to Google's Android.
https://nvd.nist.gov/vuln/detail/CVE-2020-0353

Answer 1 · 2022-03-14T10:47:26.000Z

Yep, something in the way vulnerability-producer is doing purl inference is not accurate. We don't see the pkg:deb/debian/linux@11.0 purl on disk however, also there it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0. Still wrong, of course.

Answer 2 · 2022-03-14T15:52:11.000Z

With "-i none" the incorrect mapping for this CVE disappears, I tested this locally.