hamish
Active participant

Referencing vendor packages from advisories

Lately there have been a lot of advisories coming out that reference the same CVE's that were referenced months (Or even years) ago.

Typically it's because things like Java fixes. i.e. You get separate advisories for Java 1.7, Java 1.8 and Java 11... Yet apart from the subject they're the same.

 

We cant to relate these advisories to fixed (And Affected) packages from the vendor. e.g. RedHat. But RedHat release their errata referencing the CVE's only.

 

So if we match the advisory to a package via the CVE we wind up with 3x advisories having the exact same package list.

 

As an example SA94503 (Java 1.8 openjdk), SA94692 (Java 1.7 openjdk) and SA94526 (java-11-openjdk)

 

Is there data available (Besides the free-form description) that we could use to filter the vendor packages? Or a flexera API call to get either the affected or fix package lists?

 

H

 

 

 

0 Kudos
1 Reply
arodziewicz
Flexera
Flexera

Hi Hamish,

Thank you for contacting Flexera. To get expected results you would need to submit an idea on our website https://community.flexera.com/t5/Software-Vulnerability/We-Still-Want-Your-Ideas-about-Software-Vuln... as this is an enhancement to the product. Please note that you can view affected products using API but there is no data other than description and title to filter your results.

 

Regards,

Artur Rodziewicz

0 Kudos