On Mon, Nov 08, 2021 at 08:07:00AM +0100, Sébastien Delafond wrote:
> The other approach is for the OVAL code to simply skip a CVE entirely if
> the target distribution was never affected: it would remove the current
> false positives, and the only downside would be the lack of an alert is
>
On 07/11 10:22, Noah Meyerhans wrote:
> [...] These two OVAL definitions list essentially identical criteria,
> yet their actual status in bullseye is quite different:
>
> CVE-2020-28200 is still present in bullseye and is a legitimate
> finding by any scanner based on these definitions:
>
Package: security.debian.org
Severity: important
X-Debbugs-Cc: s...@debian.org
There are two classes of issue with different statuses in the
security-tracker database and JSON feed that are not distinguished in the
OVAL feeds. Consider the following two entries from the bullseye oval
feeds[1]:
3 matches
Mail list logo
