CVE-2020-0353 - Inconsistent PURL
Opened this issue · 2 comments
mir-am commented
For CVE-2020-0353
, there are two different invalid PURLs:
1- The statement file on FS: pkg:deb/debian/linux@11.0
2- In Postgres, it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0
.
By looking at the CVE on the NVD website, it is related to Google's Android.
https://nvd.nist.gov/vuln/detail/CVE-2020-0353
MagielBruntink commented
Yep, something in the way vulnerability-producer is doing purl inference is not accurate. We don't see the pkg:deb/debian/linux@11.0
purl on disk however, also there it is pkg:maven/org.bouncycastle/bcprov-jdk15on@11.0
. Still wrong, of course.
MagielBruntink commented
With "-i none" the incorrect mapping for this CVE disappears, I tested this locally.