Whitelist: incorrect version matching

Question

Whitelist: incorrect version matching

frlan opened this issue 7 years ago · comments

Before:

 $ vulnix -w whitelist.yaml —system
…
========================================================================
bundler-1.10.5

CVEs:
	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7954

========================================================================
bundler-1.8.9

CVEs:
	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7954

========================================================================
…

But when inserting a 'inprogress'-entry for bundler,

…
-
    name: bundler
    version: '1.10.5'
    cve:
        - CVE-2016-7954
    status: 'inprogress'
    comment: |
        Will be fixed soon
-
…

both versions are getting marked as work in progress.

========================================================================
bundler-1.10.5*

CVEs:
	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7954

========================================================================
bundler-1.8.9*

CVEs:
	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7954

========================================================================

Even though this makes sense in this case as both are affected by the issue, it's kind of surprising behavior.

Christian Kauhaus · Answer 1 · Sat Apr 14 2018 00:26:29 GMT+0800 (China Standard Time)

I think this bug report is obsolete since I've ripped out the "workinprogress" feature completely.