google
Visibility of curl CVEs without Git ranges
Some of the older curl vulnerabilities have nothing to distinguish their 'package' or ecosystem so aren't being categorized and therefore shown on osv.dev. Despite CVE-2016-8616 existing in datastore, it is not visible on the website.
Possible fixes could include some sort of "reverse git enumeration" where we look up commits from tags (instead of the tags from commits we currently do)
Despite CVE-2016-8616 existing in datastore, it is not visible on the website.
So I've got a better understanding of what's necessary for future reference:
Some of these Curl records have both a SEMVER range and a GIT range, and some don't:
$ GET https://api.osv.dev/v1/vulns/CURL-CVE-2016-8615 | jq '.affected[] | {affected: .ranges}'
{
"affected": [
{
"type": "SEMVER",
"events": [
{
"introduced": "4.9"
},
{
"fixed": "7.51.0"
}
]
},
{
"type": "GIT",
"repo": "https://github.com/curl/curl.git",
"events": [
{
"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"
},
{
"fixed": "cff89bc088b7884098ea0c5378bbda3d49c437bc"
}
]
}
]
}
$ GET https://api.osv.dev/v1/vulns/CURL-CVE-2016-8616 | jq '.affected[] | {affected: .ranges}'
{
"affected": [
{
"type": "SEMVER",
"events": [
{
"introduced": "7.7"
},
{
"fixed": "7.51.0"
}
]
}
]
}
If I'm understanding correctly, the ones without a GIT range are
a) missing from whatever list was screenshotted (@jess-lowe how did you get that list?)
b) getting mis-represented on the individual vulnerability page (because they're lacking an affected[].package?)
Getting the vulnerability page just right for a number of edge cases has proven to be a bit of a gnarly problem...
This issue has not had any activity for 60 days and will be automatically closed in two weeks
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}