[OSVDB-discuss] Database schema
Steve Tornio
swtornio at gmail.com
Tue Feb 19 06:23:50 CST 2008
On Feb 19, 2008 6:11 AM, Armando Oliveira <armando.j.m.o at gmail.com> wrote:
>
> When a vuln affects version x.y.z to x.y.g (eg 1.1.3 - 1.1.7) how can i
> extract that information from database ?
>
We make every effort to make sure we only include vulnerable versions
of products, but we do include all that are verified vulnerable. In
the situation above, the entry could look very different depending on
the product. If 1.1.3, 1.1.3.5, 1.1.4, 1.1.5.1, 1.1.6 and 1.1.7 were
reported as vulnerable, the OSVDB entry will contain those versions.
Because software is released with inconsistent versioning, we do not
believe it would be accurate to list a range of vulnerable versions
instead of providing all known to be vulnerable.
We do not make the assumption that if a vulnerability exists in 1.1.7,
that is existed in previous versions. In the case of most reports, we
only get the most recent vulnerable version, and so for most entries,
I think you'd find 1.1.7 listed as the only vulnerable version. Of
course, anyone that is interested can go back through some entries and
update the list of affected versions.
Steve
More information about the Osvdb-discuss
mailing list