Open
Description
Hello,
Any issue with including the "product" field in the Debian oval xml.
<definition class="vulnerability" id="oval:org.debian:def:19991332" version="1">
<metadata>
<title>CVE-1999-1332</title>
<affected family="unix">
<platform>Debian GNU/Linux 10</platform>
<product>gzip</product>
</affected>
<reference ref_id="CVE-1999-1332" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1332" source="CVE"/>
<description>gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file.</description>
<debian>
<date>2003-06-06</date>
<moreinfo></moreinfo>
</debian>
</metadata>
<criteria comment="Release section" operator="AND">
<criterion comment="Debian 10 is installed" test_ref="oval:org.debian.oval:tst:1"/>
<criteria comment="Architecture section" operator="OR">
<criteria comment="Architecture independent section" operator="AND">
<criterion comment="all architecture" test_ref="oval:org.debian.oval:tst:2"/>
<criterion comment="gzip DPKG is earlier than 1.3.5-6" test_ref="oval:org.debian.oval:tst:4"/>
</criteria>
</criteria>
</criteria>
</definition>
'<product>' nicely parses out the affected package name.
curious if we can add it to "Affected"
// Affected : >definitions>definition>metadata>affected
type Affected struct {
XMLName xml.Name `xml:"affected"`
Family string `xml:"family,attr"`
Platforms []string `xml:"platform"`
}
Metadata
Assignees
Labels
No labels