Vulnerabilities & Advisories import issues

[maxthier]

Description

I have configured the cve and osv-github importers. After the import process completed, I observed some inconsistencies regarding PURLs and the resulting "Packages" view.

Vulnerabilities with missing purls field

I noticed that a significant number of imported vulnerabilities have an empty purls field.

I would say that most of them have no purls field. IMPORTANT: This was only determined by randomly picking imported vulnerabilities and checking the purls field.

You can see an example of such a vulnerability here:

Vulnerability without purls field

{
  "normative": true,
  "identifier": "CVE-2024-22880",
  "title": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.",
  "description": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.",
  "reserved": "2024-01-11T00:00:00Z",
  "published": "2025-03-13T00:00:00Z",
  "modified": "2025-03-19T18:39:37.455Z",
  "withdrawn": null,
  "discovered": null,
  "released": null,
  "cwes": [],
  "average_severity": "medium",
  "average_score": 4.7,
  "advisories": [
    {
      "uuid": "urn:uuid:28867ff2-5135-4084-9a3a-fa656ce3d41a",
      "identifier": "GHSA-rgfv-pm9m-qwf8",
      "document_id": "GHSA-rgfv-pm9m-qwf8",
      "issuer": null,
      "published": "2025-03-13T15:32:58Z",
      "modified": "2025-03-19T21:30:46Z",
      "withdrawn": null,
      "title": null,
      "labels": {
        "importer": "osv-github",
        "source": "https://github.com/github/advisory-database",
        "file": "unreviewed/2025/03/GHSA-rgfv-pm9m-qwf8/GHSA-rgfv-pm9m-qwf8.json",
        "type": "osv"
      },
      "severity": "medium",
      "score": 4.7,
      "cvss3_scores": [
        "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
      ],
      "purls": {},
      "sboms": [],
      "number_of_vulnerabilities": 1
    },
    {
      "uuid": "urn:uuid:19d52a0f-6a75-4a24-b50f-0724782d2950",
      "identifier": "CVE-2024-22880",
      "document_id": "CVE-2024-22880",
      "issuer": {
        "id": "3207d1e1-7d2b-4ef2-8fe5-21c05c745375",
        "name": "mitre",
        "cpe_key": null,
        "website": null
      },
      "published": "2025-03-13T00:00:00Z",
      "modified": "2025-03-19T18:39:37.455Z",
      "withdrawn": null,
      "title": "Cross Site Scripting vulnerability in Zadarma Zadarma extension v.1.0.11 allows a remote attacker to execute a arbitrary code via a crafted script to the webchat component.",
      "labels": {
        "type": "cve",
        "importer": "cve",
        "source": "https://github.com/CVEProject/cvelistV5",
        "file": "2024/22xxx/CVE-2024-22880.json"
      },
      "severity": "medium",
      "score": 4.7,
      "cvss3_scores": [
        "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
      ],
      "purls": {},
      "sboms": [],
      "number_of_vulnerabilities": 1
    }
  ]
}

Vulnerability with purls field

There are some cases where the purls field isn't empty:

Vulnerability with purls field

{
  "normative": true,
  "identifier": "CVE-2024-39323",
  "title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account",
  "description": "aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.\n",
  "reserved": "2024-06-21T18:15:22.263Z",
  "published": "2024-07-02T16:03:03.253Z",
  "modified": "2024-08-02T04:19:20.645Z",
  "withdrawn": null,
  "discovered": null,
  "released": null,
  "cwes": [
    "CWE-1220",
    "CWE-863"
  ],
  "average_severity": "high",
  "average_score": 7.1,
  "advisories": [
    {
      "uuid": "urn:uuid:27b9825f-0c39-435b-8f1a-a3ba12f71152",
      "identifier": "GHSA-vc7j-99jw-jrqm",
      "document_id": "GHSA-vc7j-99jw-jrqm",
      "issuer": null,
      "published": "2024-07-02T21:20:33Z",
      "modified": "2024-07-05T17:54:36Z",
      "withdrawn": null,
      "title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account",
      "labels": {
        "file": "github-reviewed/2024/07/GHSA-vc7j-99jw-jrqm/GHSA-vc7j-99jw-jrqm.json",
        "importer": "osv-github",
        "type": "osv",
        "source": "https://github.com/github/advisory-database"
      },
      "severity": "high",
      "score": 8.2,
      "cvss3_scores": [
        "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"
      ],
      "purls": {
        "fixed": [
          {
            "base_purl": {
              "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
              "purl": "pkg:composer/aimeos/ai-admin-graphql"
            },
            "version": "2024.04.6",
            "context": null
          },
          {
            "base_purl": {
              "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
              "purl": "pkg:composer/aimeos/ai-admin-graphql"
            },
            "version": "2023.10.6",
            "context": null
          },
          {
            "base_purl": {
              "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
              "purl": "pkg:composer/aimeos/ai-admin-graphql"
            },
            "version": "2022.10.10",
            "context": null
          }
        ],
        "affected": [
          {
            "base_purl": {
              "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
              "purl": "pkg:composer/aimeos/ai-admin-graphql"
            },
            "version": "[2024.04.1,2024.04.6)",
            "context": null
          },
          {
            "base_purl": {
              "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
              "purl": "pkg:composer/aimeos/ai-admin-graphql"
            },
            "version": "[2023.04.1,2023.10.6)",
            "context": null
          },
          {
            "base_purl": {
              "uuid": "6536e5d3-6a31-51db-85c8-ab5537db52f8",
              "purl": "pkg:composer/aimeos/ai-admin-graphql"
            },
            "version": "[2022.04.1,2022.10.10)",
            "context": null
          }
        ]
      },
      "sboms": [],
      "number_of_vulnerabilities": 1
    },
    {
      "uuid": "urn:uuid:d98041c9-afef-4585-ae95-2105189b3850",
      "identifier": "CVE-2024-39323",
      "document_id": "CVE-2024-39323",
      "issuer": {
        "id": "916ae1b9-aa83-4af5-9a16-f40daa26fb40",
        "name": "GitHub_M",
        "cpe_key": null,
        "website": null
      },
      "published": "2024-07-02T16:03:03.253Z",
      "modified": "2024-08-02T04:19:20.645Z",
      "withdrawn": null,
      "title": "aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account",
      "labels": {
        "importer": "cve",
        "file": "2024/39xxx/CVE-2024-39323.json",
        "type": "cve",
        "source": "https://github.com/CVEProject/cvelistV5"
      },
      "severity": "high",
      "score": 7.1,
      "cvss3_scores": [
        "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"
      ],
      "purls": {},
      "sboms": [],
      "number_of_vulnerabilities": 1
    }
  ]
}

Imported packages

After the importers finished, the "Packages" view was populated with a many entries.

• Many packages appear to have been created by the importer but contain no associated vulnerabilities.
• It is currently difficult to distinguish between packages that originated from an uploaded SBOM and packages created as part of the importer process. (You have to click on a package and check the "SBOMs using package" tab).

Questions

Regarding Matching:

• Is it expected that osv-github and cve importers frequently result in empty purls?
• Is the purls field a hard requirement for Trustify to match vulnerabilities to packages in SBOMs?
  • If the purls field is empty, how does Trustify match the vulnerabilities?
• Are there other vulnerability sources that are compatible/tested/recommended to be used with Trustify?

Regarding Packages

• Why do importers create Package entries that have no vulnerabilities attached to them?
• Is there a method to filter for packages that are in SBOMs and not such ones that were created by the importer?

Importer config

get /api/v2/importer

[
  {
    "name": "cve",
    "heartbeat": 1763394920705011000,
    "configuration": {
      "cve": {
        "disabled": false,
        "period": "1day",
        "description": "CVE list v5",
        "source": "https://github.com/CVEProject/cvelistV5"
      }
    },
    "state": "waiting",
    "lastChange": "2025-11-17T15:55:20.580487Z",
    "lastSuccess": "2025-11-17T15:55:10.70635Z",
    "lastRun": "2025-11-17T15:55:10.70635Z",
    "progress": {},
    "continuation": "4772e2f14e6ce50e2b8cbc6523a3d16e11a3f63d"
  },
  {
    "name": "osv-github",
    "heartbeat": 1763467500704317400,
    "configuration": {
      "osv": {
        "disabled": false,
        "period": "1day",
        "description": "GitHub Advisory Database",
        "source": "https://github.com/github/advisory-database",
        "path": "advisories"
      }
    },
    "state": "waiting",
    "lastChange": "2025-11-18T12:05:00.276299Z",
    "lastSuccess": "2025-11-18T12:04:20.706296Z",
    "lastRun": "2025-11-18T12:04:20.706296Z",
    "progress": {},
    "continuation": "f1fbd2d59262f3f2e21238d98b071fe2649065a0"
  },
  {
    "name": "redhat-csaf",
    "heartbeat": null,
    "configuration": {
      "csaf": {
        "disabled": true,
        "period": "1day",
        "description": "All Red Hat CSAF data",
        "source": "redhat.com",
        "v3Signatures": false,
        "fetchRetries": 50
      }
    },
    "state": "waiting",
    "lastChange": "2025-11-10T11:01:03.627442Z",
    "progress": {}
  }
]

Thank you very much for your inputs and help!

[jcrossley3]

Thanks for the report!

Questions

Regarding Matching:

• Is it expected that osv-github and cve importers frequently result in empty purls?

Yes, purl divination is a bit of an art, and ours needs to evolve, e.g. for CVE's we currently only support maven packages.

• Is the purls field a hard requirement for Trustify to match vulnerabilities to packages in SBOMs?

If I understand the question correctly, yes. Did you have another method in mind?

• If the purls field is empty, how does Trustify match the vulnerabilities?

I'm not sure it does. 😄 Do you have a particular example in which trustify is showing a match without a purl?

• Are there other vulnerability sources that are compatible/tested/recommended to be used with Trustify?

Those are always evolving, but the --sample-data option should install all the importers we've tested with. "PM mode" should also have them.

[maxthier]

Yes, purl divination is a bit of an art, and ours needs to evolve, e.g. for CVE's we currently only support maven packages.

I see, thx for the elaboration!

If I understand the question correctly, yes. Did you have another method in mind?

No not really, I was just wondering 😅

I'm not sure it does. 😄 Do you have a particular example in which trustify is showing a match without a purl?

Yes:

Vulnerability without purls field but with matched Package

{
  "normative": true,
  "identifier": "CVE-2025-22868",
  "title": "Unexpected memory consumption during token parsing in golang.org/x/oauth2",
  "description": "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
  "reserved": "2025-01-08T19:11:42.834Z",
  "published": "2025-02-26T03:07:49.012Z",
  "modified": "2025-02-26T14:46:20.671Z",
  "withdrawn": null,
  "discovered": null,
  "released": null,
  "cwes": [],
  "average_severity": "high",
  "average_score": 7.5,
  "advisories": [
    {
      "uuid": "urn:uuid:f21d87c3-5290-45a1-8f47-432108d42fcb",
      "identifier": "GHSA-6v2p-p543-phr9",
      "document_id": "GHSA-6v2p-p543-phr9",
      "issuer": null,
      "published": "2025-07-18T17:27:22Z",
      "modified": "2025-07-18T17:27:22Z",
      "withdrawn": null,
      "title": "golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability",
      "labels": {
        "type": "osv",
        "source": "https://github.com/github/advisory-database",
        "importer": "osv-github",
        "file": "github-reviewed/2025/07/GHSA-6v2p-p543-phr9/GHSA-6v2p-p543-phr9.json"
      },
      "severity": "high",
      "score": 7.5,
      "cvss3_scores": [
        "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
      ],
      "purls": {},
      "sboms": [
        {
          "id": "urn:uuid:019a72ec-387a-7bd0-a9ec-ea555accf853",
          "document_id": "urn:uuid:915fbb46-f5d2-4ba3-999b-3f3f509da614/1",
          "labels": {
            "type": "cyclonedx",
            "host": "sbom-deb12"
          },
          "data_licenses": [],
          "published": "2025-11-10T15:10:56Z",
          "authors": [],
          "suppliers": [],
          "name": "docker.redpanda.com/redpandadata/console:v2.8.2",
          "number_of_packages": 249,
          "version": null,
          "purl_statuses": {
            "affected": [
              {
                "uuid": "b6696be9-4f2f-5ad4-ae78-277cd001275e",
                "purl": "pkg:golang/golang.org/x/oauth2@v0.24.0",
                "base": {
                  "uuid": "33dc0742-ba15-57b3-a2ed-08de05d6a4ce",
                  "purl": "pkg:golang/golang.org/x/oauth2"
                },
                "version": {
                  "uuid": "b6696be9-4f2f-5ad4-ae78-277cd001275e",
                  "purl": "pkg:golang/golang.org/x/oauth2@v0.24.0",
                  "version": "v0.24.0"
                },
                "qualifiers": {}
              }
            ]
          }
        }
      ],
      "number_of_vulnerabilities": 1
    },
    {
      "uuid": "urn:uuid:b7fa7b87-1f14-46dc-95b4-a914a9d8b7c4",
      "identifier": "CVE-2025-22868",
      "document_id": "CVE-2025-22868",
      "issuer": {
        "id": "537cf278-1259-49d6-abb5-841e5018f501",
        "name": "Go",
        "cpe_key": null,
        "website": null
      },
      "published": "2025-02-26T03:07:49.012Z",
      "modified": "2025-02-26T14:46:20.671Z",
      "withdrawn": null,
      "title": "Unexpected memory consumption during token parsing in golang.org/x/oauth2",
      "labels": {
        "file": "2025/22xxx/CVE-2025-22868.json",
        "source": "https://github.com/CVEProject/cvelistV5",
        "importer": "cve",
        "type": "cve"
      },
      "severity": "high",
      "score": 7.5,
      "cvss3_scores": [
        "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
      ],
      "purls": {},
      "sboms": [],
      "number_of_vulnerabilities": 1
    }
  ]
}

You can see that the first advisory of that CVE matched pkg:golang/golang.org/x/oauth2 even tough the purls field itself is an empty object...

Those are always evolving, but the --sample-data option should install all the importers we've tested with. "PM mode" should also have them.

Thank you, I'll have a look.