You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently we guess up to 10 package name candidates and then try to pick the correct package name based on whether version mentioned in the CVE record exists for given candidate or not. If not, then we discard the candidate and move to the next one.
However, NVD often lists multiple affected/not affected versions in CVE records. All of them should exist for given candidate.
We should be able to improve accuracy by implementing this check as it will help us to filter out false positives and thus we will more likely pick the right package name.
Currently we guess up to 10 package name candidates and then try to pick the correct package name based on whether version mentioned in the CVE record exists for given candidate or not. If not, then we discard the candidate and move to the next one.
However, NVD often lists multiple affected/not affected versions in CVE records. All of them should exist for given candidate.
We should be able to improve accuracy by implementing this check as it will help us to filter out false positives and thus we will more likely pick the right package name.
Pre-work: #40
The text was updated successfully, but these errors were encountered: