Bug: Kernel CVE ingestion logic fails with lessThan/lessThanOrEqual unaffected version ranges

[fwilhe]

What happened:

The logic for extracting the unaffected/fixed kernel versions in glvd-data-ingestion/src/glvd/cli/data/ingest_kernel.py is faulty and does not handle common patterns found in recent kernel CVE JSON data.

For instance, given this sample JSON from CVE-2024-50025.json:

{
   "product": "Linux",
   "vendor": "Linux",
   "defaultStatus": "affected",
   "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
   "programFiles": [
      "drivers/scsi/fnic/fnic_main.c"
   ],
   "versions": [
      { "version": "6.8", "status": "affected" },
      { "version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver" },
      { "version": "6.11.4", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver" },
      { "version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" }
   ]
}

yields this result in the glvd database:

glvd=# select cve_id, lts_version, fixed_version, is_fixed, is_relevant_subsystem from cve_context_kernel where cve_id = 'CVE-2024-50025';
     cve_id     | lts_version | fixed_version | is_fixed | is_relevant_subsystem
----------------+-------------+---------------+----------+-----------------------
 CVE-2024-50025 | 6.12        | 6.12          | t        | t
 CVE-2024-50025 | 6.18        |               | f        | t
 CVE-2024-50025 | 6.6         |               | f        | t
(3 rows)

Kernel versions 6.6 and 6.18 are not vulnerable according to the information provided by the kernel, but are marked as such in glvd.

The current code only considers entries with status unaffected where only the version field is present. It ignores unaffected/fixed version ranges expressed with lessThan or lessThanOrEqual or * wildcards. As a result, it does not robustly determine which LTS versions are fixed or unaffected for recent CVEs.

What you expected to happen:

The logic should correctly interpret and extract unaffected/fixed versions from entries specifying lessThan, lessThanOrEqual, or wildcards, not just exact version numbers.

How to reproduce it (as minimally and precisely as possible):

1. Run the ingestion script against a CVE file structured like the CVE-2024-50025.json sample above.
2. Observe that LTS fixed/unaffected detection does not work as expected for relevant LTS versions.

Anything else we need to know:

• The bug is in the evaluation within the get_fixed_versions function and associated logic for LTS selection.
• This is blocking robust CVE triage for new Linux kernels.

Environment:

• gardenlinux/glvd-data-ingestion
• src/glvd/cli/data/ingest_kernel.py