This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
hamish
Level 4

Re: SuSE SLES-15-SP2 and SP3

by in Software Vulnerability Management Forum
‎Apr 23, 2021 03:02 AM
‎Apr 23, 2021 03:02 AM
I believe that we were informed OS releases would be automatically added to the Flexera database. Is this incorrect? Do we have to request a new release of an OS to be added manually whenever SuSE, or RHEL increment the version? I have seen that SuSE are releasing CVRF's referencing SLES-15-SP3, so I think it probably should be in Flexeras database. regards ... View more

SuSE SLES-15-SP2 and SP3

by in Software Vulnerability Management Forum
‎Apr 15, 2021 04:36 AM
‎Apr 15, 2021 04:36 AM
I see CVRF's from SuSE for SLES-15-SP2 and SP3. But the advisories that relate to these CVRF's only show SLES-15-SP1.. In fact there are some CVRF's that only list SP2 or SP3 from SuSE yet the advisories linking to them only show SP1.   I'll assume that we can get the recognition of SP2 and SP3 fixed (It looks like SuSE have changed the way they report - In SP1 the OS was listed as 'SUSE Linux Enterprise Server 15-SP1-LTSS' but now in SP2 and SP3 they list by Channel/Repo (i.e. 'SUSE Linux Enterprise Module for Basesystem 15-SP2' and 'SUSE Linux Enterprise Module for Development Tools 15-SP2')   The Question is... When the process is fixed to recognise 15-SP2 and 15-SP3 is there any way to prompt a re-issue of all the advisories that should mention SP2 and SP3 yet do not?     ... View more

Incorrect vendor Errata ID's in some Advisories

by in Software Vulnerability Management Forum
‎Mar 17, 2021 06:57 AM
‎Mar 17, 2021 06:57 AM
Not sure if this is the right place. But some advisories are coming through with incorrect vendor errata ID's in them., Specifically RHEL-7 and RHEL-8 (But not all of them. Just some). e.g. SA100934 Has Original advisory: RHSA-2021:0744-01: https://access.redhat.com/errata/RHSA-2021:0744   The advisory is RHSA-2021:0744 and the correct URL to RH is there. but the errata is listed in the advisory as RHSA-2021:0744-01. There is no -01 in the errata ID. It's incorrect in the JSON data as well which is annoying because it destroys our ability to track.   is there  a better place to raise this? It's not an isolated incident. There are a lot of advisories recently that have the same issue.   TIA               ... View more

Larger pages from /api/advisories ?

by in Software Vulnerability Management Forum
‎Oct 23, 2020 01:20 PM
‎Oct 23, 2020 01:20 PM
Does anyone know if it's possible to get a page larger than 20 entries at a time from the /api/advisories API call?   There's nothing in the docs... I can cache the full entries... And when running a test, I get good speed for everything except the next page of the advisory list... If the pages were larger I'd have fewer turnaround waits. Obviously this is only really useful on the second and subsequent run through a particular advisory. But when testing new features, or fixing issues occasionally I have to run through a lot of advisories   TIA  H ... View more

Re: Attribute description for advisories

by in Software Vulnerability Management Forum
‎Oct 08, 2020 04:06 AM
1 Kudo
‎Oct 08, 2020 04:06 AM
1 Kudo
Hi   Yes, and I use the API to gather the details. But I'm looking for an in-depth description of the attributes that come back in the response. I did find the SAID-Anatomy PDF, but that only includes a few of the elements (And doesn't match them to attribute names but fortunately they aren't very ambiguous).   There is nothing about the references or product CPE's though.    regards ... View more

Re: The Anatomy of a Security Advisory

by in Software Vulnerability Research Knowledge Base
‎Oct 05, 2020 10:18 AM
‎Oct 05, 2020 10:18 AM
The link to SAID-Anatomy.pdf is broken...  ... View more

Attribute description for advisories

by in Software Vulnerability Management Forum
‎Oct 05, 2020 10:16 AM
‎Oct 05, 2020 10:16 AM
is there a document somewhere that provides a detailed description of the fields in the advisories obtained via the API?   For example the products list... Or more precisely, the cpe's within the products list...   TIA ... View more

Re: Direct link to show an advisory?

by in Software Vulnerability Management Forum
‎Jul 10, 2020 11:39 AM
‎Jul 10, 2020 11:39 AM
Ah! Perfect, thanks   H ... View more

Direct link to show an advisory?

by in Software Vulnerability Management Forum
‎Jul 10, 2020 02:51 AM
‎Jul 10, 2020 02:51 AM
We have regular meetings to discuss advisories. For make these easier and reduce the amount of manual typing people have to do, I'd like to generate URL's that would open directly onto the information for a particular advisory.   Is there a URI that will do that? I tried https://app.secunia.com/#/vt/advisory-database/advisories/SA96261 (i.e. Add the advisory to the link for the advisory research) but I just get page not found and the normal list with a box to type in the advisory manually to search for it - Which is what I'm trying to get away from) perhaps an undocumented parameter to the link to perform the search automatically and show the information?       ... View more

Referencing vendor packages from advisories

by in Software Vulnerability Management Forum
‎May 27, 2020 03:25 AM
‎May 27, 2020 03:25 AM
Lately there have been a lot of advisories coming out that reference the same CVE's that were referenced months (Or even years) ago. Typically it's because things like Java fixes. i.e. You get separate advisories for Java 1.7, Java 1.8 and Java 11... Yet apart from the subject they're the same.   We cant to relate these advisories to fixed (And Affected) packages from the vendor. e.g. RedHat. But RedHat release their errata referencing the CVE's only.   So if we match the advisory to a package via the CVE we wind up with 3x advisories having the exact same package list.   As an example SA94503 (Java 1.8 openjdk), SA94692 (Java 1.7 openjdk) and SA94526 (java-11-openjdk)   Is there data available (Besides the free-form description) that we could use to filter the vendor packages? Or a flexera API call to get either the affected or fix package lists?   H       ... View more

cvss2 and cvss3 score are both non-blank

by in Software Vulnerability Management Forum
‎Mar 06, 2020 02:57 AM
‎Mar 06, 2020 02:57 AM
I'm pulling advisories via the APi for a near real-time feed of information. And had implemented the decision between cvss2 and cvss3 scores as documented in the API docs. i.e. If cvss2 is blank, use cvss3.   However it would appear that there are multiple records in the feed where both the cvss2 and cvss3 scores are NOT blank.        Case in point.  SA76954 with a cvss3 score of 0 and a cvss2 score of 7.6, then we have some the other way around. cvss2 scores of 0 and cvss3 scores    I'm really hoping that despite the documented behaviour saying otherwise, the API doesn't equate a blank with a numerical 0, because that appears to equate to a rejection.. Is there a more reliable way? e.g. empty cvss_vector? ... View more

Re: Advisory Details via API Explorer

by in Software Vulnerability Management Forum
‎Nov 15, 2019 08:48 AM
‎Nov 15, 2019 08:48 AM
Ah!    Stupid me... I didn't realise that the URI on the explorer could be used like that. I was trying to find a way to convince the interface to do it for me. ... View more

Advisory Details via API Explorer

by in Software Vulnerability Management Forum
‎Nov 15, 2019 05:41 AM
1 Kudo
‎Nov 15, 2019 05:41 AM
1 Kudo
For various reasons, I don't have end-2-end API access today. Is it possible to get the advisory details via the APiIexplorer? I can't seem to convince it to do anything except the advisory notification (i.e. I can't get it to access something like   /api/advisory/SA12345/   Trying to enter in various fields on the filter popup just results in a URI like    /api/advisoriy/?search=SA12345   The pop-up seems a bit weird too. Lots of fields called [invalid name]. is that bug? Can it be fixed? ... View more

Re: We Still Want Your Ideas about Software Vulnerability Management Products!

by in Software Vulnerability Management Forum
‎Nov 13, 2019 07:58 AM
1 Kudo
‎Nov 13, 2019 07:58 AM
1 Kudo
Some suggestions Consistent naming of products (The Solaris ones are a bit of a mess). Perhaps a short name in addition to the long-winded one. Like RHEL-8, RHEL-7, SLES-15SP1 etc. For example SOLARIS-5, SOLARIS-6 instead of some of them being Sun Microsystems, some Oracle and some Oracle formerly Sun Micro etc. A method to list all the product names available. Especially if it listed the long-winded name and the short unambiguous name proposed above The API should return an error if the parameters are incorrect. How many advisories could trace themselves back to functions ignoring the input, or the wrong input's causing unpredictable output? A proper changelog or journal capable of being returned in guaranteed sequential order.  The current update listing by modified date is ambiguous for what has actually changed. Because the detail is in the advisory and you only get the LATEST info, not the info for a particular advisory change notification This would be useful for some historical what-if scenarios we're looking at presently Ability to run more than 1 session per login token. Otherwise I have to convince someone to create a new user every time I want to setup a new environment for my app Yes I could setup an internal server to provide the input to my environments but then it becomes chicken & egg when I need to enhance it for upcoming development that is not yet ready for PROD ... View more

Re: Multiple API connections

by in Software Vulnerability Management Forum
‎Nov 12, 2019 08:41 AM
‎Nov 12, 2019 08:41 AM
I see nowhere in the docs that it discusses multiple sessins at once.   And you can't have more than 1 token per user either...   regards ... View more
Latest posts by hamish
View All ≫
Activity Feed
Contact Me
Online Status
Offline
Date Last Visited
‎Apr 23, 2021 06:22 AM
Kudos given to