Lately there have been a lot of advisories coming out that reference the same CVE's that were referenced months (Or even years) ago.
Typically it's because things like Java fixes. i.e. You get separate advisories for Java 1.7, Java 1.8 and Java 11... Yet apart from the subject they're the same.
We cant to relate these advisories to fixed (And Affected) packages from the vendor. e.g. RedHat. But RedHat release their errata referencing the CVE's only.
So if we match the advisory to a package via the CVE we wind up with 3x advisories having the exact same package list.
As an example SA94503 (Java 1.8 openjdk), SA94692 (Java 1.7 openjdk) and SA94526 (java-11-openjdk)
Is there data available (Besides the free-form description) that we could use to filter the vendor packages? Or a flexera API call to get either the affected or fix package lists?
H
May 27, 2020 03:25 AM
Hi Hamish,
Thank you for contacting Flexera. To get expected results you would need to submit an idea on our website https://community.flexera.com/t5/Software-Vulnerability/We-Still-Want-Your-Ideas-about-Software-Vulnerability-Management/td-p/95036 as this is an enhancement to the product. Please note that you can view affected products using API but there is no data other than description and title to filter your results.
Regards,
Artur Rodziewicz
Jun 03, 2020 11:21 AM