What if different advisories report different version range for the same vulnerability?

For example, CVE-2023-38286 for `pkg:maven/de.codecentric/spring-boot-admin-server`:
- [github advisories](https://github.com/advisories/GHSA-7gj7-224w-vpr3) say affected versions `<3.1.2` and patched in `3.1.2`
- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-38286) CPE say `Up to (including)3.1.0`
- [gitlab advisories](https://advisories.gitlab.com/advisory/advmaven_de_codecentric_spring_boot_admin_server_CVE_2023_38286.html) agree with NVD and suggest `Upgrade to version 3.1.1 or above`.

[The commit that fixes this](https://github.com/codecentric/spring-boot-admin/commit/f1f6ac6f613e1c0afc121c8989f28b4155a6797a) is actually included in version 3.1.2.

Currently in vulnerablecode, `GitLabAPIImporter` and `GitHubAPIImporter` reports differenct version range accordingly, and `DefaultImprover` decides that this is fixed in version `3.1.1`
![image](https://github.com/nexB/vulnerablecode/assets/11829223/76c7328b-d6a2-4cb6-8bd4-7c2291c889c1)

Maybe for vulnerablecode, it should use the largest range for affected versions? That is,  it should use `"affected_version_range": "vers:maven/<3.1.2"` collected by `GitHubAPIImporter`, rather than `"affected_version_range": "vers:maven/<=3.1.0"` collected by `GitLabAPIImporter`.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

What if different advisories report different version range for the same vulnerability? #1297

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

What if different advisories report different version range for the same vulnerability? #1297

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions