This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Referencing vendor packages from advisories

hamish
By
Level 4

Lately there have been a lot of advisories coming out that reference the same CVE's that were referenced months (Or even years) ago.

Typically it's because things like Java fixes. i.e. You get separate advisories for Java 1.7, Java 1.8 and Java 11... Yet apart from the subject they're the same.

 

We cant to relate these advisories to fixed (And Affected) packages from the vendor. e.g. RedHat. But RedHat release their errata referencing the CVE's only.

 

So if we match the advisory to a package via the CVE we wind up with 3x advisories having the exact same package list.

 

As an example SA94503 (Java 1.8 openjdk), SA94692 (Java 1.7 openjdk) and SA94526 (java-11-openjdk)

 

Is there data available (Besides the free-form description) that we could use to filter the vendor packages? Or a flexera API call to get either the affected or fix package lists?

 

H

 

 

 

‎May 27, 2020 03:25 AM

0 Kudos
(1) Reply

arodziewicz
By
Flexera Alumni

Hi Hamish,

Thank you for contacting Flexera. To get expected results you would need to submit an idea on our website https://community.flexera.com/t5/Software-Vulnerability/We-Still-Want-Your-Ideas-about-Software-Vulnerability-Management/td-p/95036 as this is an enhancement to the product. Please note that you can view affected products using API but there is no data other than description and title to filter your results.

 

Regards,

Artur Rodziewicz

‎Jun 03, 2020 11:21 AM

0 Kudos