Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1179

Inconsistent product spec for some CSAF Vex advisories

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Very Likely
    • 0

      Why need this Task?

      This is causing misidentifications of affected products

      Description:

      We've encountered modular product ID with the format of module/package. For example, ubi10/s2i-core in https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-24294.json. However, forĀ CVE-2023-5841, the package gimp:flapak/OpenEXR is represented in package:module format (OpenEXR-libs::gimp:flatpak in https://security.access.redhat.com/data/csaf/v2/vex/2023/cve-2023-5841.json).

      This causesĀ our feed parser to miss it and mark the whole package as vulnerable instead of only the modular one.

      Can you let us know how we should approach this or is this something that RedHat can address?

              jsvoboda@redhat.com Jakub Svoboda
              jonathan.dong Jonathan Dong
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: