-
Story
-
Resolution: Won't Do
-
Normal
-
None
-
None
(Hadas From Snyk)
Hey!
We noticed there are a few vulnerabilities that show twice in the same OVAL file, under two different definition IDs - one marked `unaffected` and the other not.
I can't seem to see anything in the criteria that should differentiate the vulnerabilities from each other, and we're not sure if we should mark the `unaffected` or not.
For example:
In RHEL 8 OVAL stream CVE-2018-1302 exists for package mod_http2 under two different definition IDs:
- oval:com.redhat.cve:def:20181302
- oval:com.redhat.unaffected:def:20181302
There are quite a lot of these, I can give more examples if needed.
Could you please help us understand this?
Thanks!