Glvd release note generator produces strange results for CVEs with multiple source packages

Looking at the generated Release Notes for 1443.20, it contains some unexpected things:

<img width="1008" alt="Image" src="https://github.com/user-attachments/assets/15d93ef6-4a4a-493f-9196-919070a10f26" />

The 'ruby3.1' package was not upgraded, but multiple CVEs are closed?
One explanation might be that those CVEs had been triaged, but this is not the case here.

Looking at the CVE details, we see that this CVE is matched to multiple source packages.

<img width="1687" alt="Image" src="https://github.com/user-attachments/assets/6f15869d-2718-4e06-98e6-3dc759cba8f7" />

This does not seem to happen often and is not a case that is part of our tests yet.

This CVE also appears here, but for a different reason:

<img width="1698" alt="Image" src="https://github.com/user-attachments/assets/e994657e-aa19-4604-9a0e-c1047c939435" />

Similar issue (no version upgrade) with multiple source packages again:

<img width="604" alt="Image" src="https://github.com/user-attachments/assets/a4556b18-edd2-428e-ba0a-e46b05a96241" />

<img width="1688" alt="Image" src="https://github.com/user-attachments/assets/f1177752-0c84-4911-a460-4cd0d9db8b16" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Glvd release note generator produces strange results for CVEs with multiple source packages #153

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Glvd release note generator produces strange results for CVEs with multiple source packages #153

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions