Description
There are cases when both CVE-ID and RHSA-ID contain info about vulnerable package for same CPE.
e.g. CVE-2024-45491 and RHSA-2024:6989 (see 1714)
Trivy already has logic to avoid this issue:
|
// unpatched vulnerabilities |
|
if adv.FixedVersion == "" { |
|
// Red Hat may contain several advisories for the same vulnerability (RHSA advisories). |
|
// To avoid overwriting the fixed version by mistake, we should skip unpatched vulnerabilities if they were added earlier |
|
if _, ok := uniqVulns[vulnID]; !ok { |
|
uniqVulns[vulnID] = vuln |
|
} |
|
continue |
|
} |
But it doesn't work if pkg.Version > fixedVersion from RHSA.:
├─────────────────────────────┼──────────────────┼──────────┤ ├───────────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ expat │ CVE-2022-23990 │ MEDIUM │ │ 2.2.5-16.el8_10 │ │ expat: integer overflow in the doProlog function │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23990 │
│ ├──────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤
Discussed in #8059
Description
There are cases when both CVE-ID and RHSA-ID contain info about vulnerable package for same CPE.
e.g. CVE-2024-45491 and RHSA-2024:6989 (see
1714)Trivy already has logic to avoid this issue:
trivy/pkg/detector/ospkg/redhat/redhat.go
Lines 147 to 155 in 983ac15
But it doesn't work if pkg.Version > fixedVersion from RHSA.:
Discussed in #8059