-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
Very Likely
-
0
Current Behavior
In older CSAF VEX advisories, some packages (e.g., `kernel`) have source package PURLs (`arch=src`).
For example, in CVE-2007-2764, both `kernel` and `kernel.src` are defined with the same source package PURL:
[
{
"name": "kernel",
"product_id": "kernel",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kernel?arch=src"
}
},
{
"name": "kernel.src",
"product_id": "kernel.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/kernel?arch=src"
}
}
]
URL: https://security.access.redhat.com/data/csaf/v2/vex/2007/cve-2007-2764.json
Expected Behavior
Since `kernel.src` explicitly represents the source package, I would expect `kernel` to represent the binary package with a binary PURL (without `arch=src`).
In newer advisories like CVE-2024-35789, the `kernel` package has a binary PURL:
- "name": "kernel", "product_id": "kernel", "product_identification_helper": { "purl": "pkg:rpm/redhat/kernel" } }
URL: https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-35789.json
-
- Steps to reproduce
1. Fetch the CSAF VEX for CVE-2007-2764 and extract the `kernel` and `kernel.src` package definitions:
curl -s https://security.access.redhat.com/data/csaf/v2/vex/2007/cve-2007-2764.json | jq '[.product_tree.branches | .. | objects | select(has("product")) | .product | select(.product_id | test("^kernel$|^kernel\\.src$"))]' [ { "name": "kernel", "product_id": "kernel", "product_identification_helper": { "purl": "pkg:rpm/redhat/kernel?arch=src" } }, { "name": "kernel.src", "product_id": "kernel.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/kernel?arch=src" } } ]
2. Observe that both have the same source package PURL (`arch=src`).
3. Compare with a newer advisory (CVE-2024-35789) where `kernel` has a binary PURL.
curl -s https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-35789.json | jq '[.product_tree.branches | .. | objects | select(has("product")) | .product | select(.product_id | test("^kernel$|^kernel\\.src$"))]' [ { "name": "kernel", "product_id": "kernel", "product_identification_helper": { "purl": "pkg:rpm/redhat/kernel" } }, { "name": "kernel.src", "product_id": "kernel.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/kernel?arch=src" } } ]
Impact Statement
As discussed in https://issues.redhat.com/browse/SECDATA-1097, we are skipping source packages and parsing binary packages for backward compatibility with OVALv2. However, since the `kernel` binary package PURL is missing in older advisories, these advisories are not being included in our vulnerability database.