From knewman at globaldataguard.com Tue Jun 2 17:11:22 2009 From: knewman at globaldataguard.com (Kurt Newman) Date: Tue, 02 Jun 2009 17:11:22 -0500 Subject: [OSVDB-discuss] How to report db data errors? Message-ID: <4A25A38A.90907@globaldataguard.com> It's quite simple to edit/add vulnerabilities. However, there's a data discrepancy issue with regards to what the the website shows, versus, the mysql download. For example. The website for id 42670 (http://osvdb.org/show/osvdb/42670) lists an author, several classifications and external references. However, the MySQL database does not have this relation. The related CVE from within the MySQL db is, 2008-0550, which points to the non-existent OSVDB id, 1026869. The following are some sample queries to illustrate this issue: # ensure 2008-0550 is a CVE mysql> select * from ext_reference_types where id=3; +----+--------+ | id | name | +----+--------+ | 3 | CVE ID | +----+--------+ 1 row in set (0.00 sec) # find osvdb that relates to CVE 2008-0550 mysql> select id,vulnerability_id,ext_reference_type_id,value from ext_references where value='2008-0550'; +--------+------------------+-----------------------+-----------+ | id | vulnerability_id | ext_reference_type_id | value | +--------+------------------+-----------------------+-----------+ | 957122 | 1026869 | 3 | 2008-0550 | +--------+------------------+-----------------------+-----------+ 1 row in set (0.38 sec) # ext_references points to non-existent osvdb id mysql> select * from vulnerabilities where osvdb_id=1026869; Empty set (0.09 sec) # the real osvdb id that should relate to CVE 2008-0550 mysql> select osvdb_id,title from vulnerabilities where osvdb_id=42670; +----------+----------------------------------------------------+ | osvdb_id | title | +----------+----------------------------------------------------+ | 42670 | Streamcast HTTP Request Off-By-One Remote Overflow | +----------+----------------------------------------------------+ 1 row in set (0.26 sec) From dave at opensecurityfoundation.org Tue Jun 2 17:39:50 2009 From: dave at opensecurityfoundation.org (David Shettler) Date: Tue, 2 Jun 2009 18:39:50 -0400 Subject: [OSVDB-discuss] How to report db data errors? In-Reply-To: <4A25A38A.90907@globaldataguard.com> References: <4A25A38A.90907@globaldataguard.com> Message-ID: <26fc42fe0906021539t44711717m9d48999a676c7785@mail.gmail.com> osvdb_id isn't the primary key. On some vulnerabilities, the id field is the same as the osvdb_id, but don't count it. OSVDB_ID the public identifier, and is only assigned when a vulnerability is approved to be created. Many vulnerabilities come in that are not approved, or are merged into one, or a broken into many, hence why it isn't used as a primary key anymore (it was a few years ago). Instead, vulnerability_id refers to the id field of the vulnerabilities table. OSVDB ID: 42670 has an id of 1026869 > # ext_references points to non-existent osvdb id > mysql> select * from vulnerabilities where osvdb_id=1026869; > Empty set (0.09 sec) instead, try: select * from vulnerabilities where id = 1026869; Dave From knewman at globaldataguard.com Tue Jun 2 17:38:55 2009 From: knewman at globaldataguard.com (Kurt Newman) Date: Tue, 02 Jun 2009 17:38:55 -0500 Subject: [OSVDB-discuss] How to report db data errors? In-Reply-To: <26fc42fe0906021539t44711717m9d48999a676c7785@mail.gmail.com> References: <4A25A38A.90907@globaldataguard.com> <26fc42fe0906021539t44711717m9d48999a676c7785@mail.gmail.com> Message-ID: <4A25A9FF.9010007@globaldataguard.com> Ah, this explains a lot. Thank you for the help. David Shettler wrote: > osvdb_id isn't the primary key. On some vulnerabilities, the id field > is the same as the osvdb_id, but don't count it. OSVDB_ID the public > identifier, and is only assigned when a vulnerability is approved to > be created. Many vulnerabilities come in that are not approved, or > are merged into one, or a broken into many, hence why it isn't used as > a primary key anymore (it was a few years ago). > > Instead, vulnerability_id refers to the id field of the vulnerabilities table. > > OSVDB ID: 42670 has an id of 1026869 > >> # ext_references points to non-existent osvdb id >> mysql> select * from vulnerabilities where osvdb_id=1026869; >> Empty set (0.09 sec) > > instead, try: > > select * from vulnerabilities where id = 1026869; > > Dave