-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
-
False
-
Very Likely
-
0
Description:
While reviewing the product_tree section in the VEX files, I noticed
that some products—likely RPM packages—do not have a PURL (Package
URL) specified in the product_identification_helper.
For example, in the case of the following entry from the product_tree
in CVE-2016-3674:
Normally, we would expect the product_id such as "xstream" to have a
corresponding product_identification_helper that includes a purl, but
it appears to be missing in this case.
```json
{
...
"product_tree": {
"branches": [
{
"branches": [
...
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7",
"product": {
"name": "Red Hat Enterprise Linux 7",
"product_id": "red_hat_enterprise_linux_7",
"product_identification_helper":
{ "cpe": "cpe:/o:redhat:enterprise_linux:7" }
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux 7"
},
...
{
"category": "product_version",
"name": "xstream",
"product":
{ "name": "xstream", "product_id": "xstream" }
},
...
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
...
{
"category": "default_component_of",
"full_product_name":
{ "name": "xstream as a component of Red Hat Enterprise Linux 7", "product_id": "red_hat_enterprise_linux_7:xstream" }
,
"product_reference": "xstream",
"relates_to_product_reference": "red_hat_enterprise_linux_7"
},
...
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-3674",
...
"product_status":
{ ... "known_affected": [ ... "red_hat_enterprise_linux_7:xstream", ... ] }
,
...
}
]
}
```
https://security.access.redhat.com/data/csaf/v2/vex/2016/cve-2016-3674.json
I am attaching the CVE and product_id combinations I found that appear to be related to this pattern.
