Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-10

Same CVE & package under two definition IDs in same OVAL

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Won't Do
    • Icon: Normal Normal
    • None
    • None
    • oval

      (Hadas From Snyk)

      Hey!

      We noticed there are a few vulnerabilities that show twice in the same OVAL file, under two different definition IDs - one marked `unaffected` and the other not.

      I can't seem to see anything in the criteria that should differentiate the vulnerabilities from each other, and we're not sure if we should mark the `unaffected` or not.

       

      For example:

      In RHEL 8 OVAL stream CVE-2018-1302 exists for package mod_http2 under two different definition IDs:

      1. oval:com.redhat.cve:def:20181302
      2. oval:com.redhat.unaffected:def:20181302

       
      There are quite a lot of these, I can give more examples if needed.
      Could you please help us understand this?
       
      Thanks!

            rhn-support-jshepher Jason Shepherd
            snyk-arthur Snyk Tech Partner (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: