[OSVDB-discuss] How to report db data errors?
Kurt Newman
knewman at globaldataguard.com
Tue Jun 2 17:11:22 CDT 2009
It's quite simple to edit/add vulnerabilities. However, there's a data
discrepancy issue with regards to what the the website shows, versus,
the mysql download.
For example.
The website for id 42670 (http://osvdb.org/show/osvdb/42670) lists an
author, several classifications and external references.
However, the MySQL database does not have this relation. The related
CVE from within the MySQL db is, 2008-0550, which points to the
non-existent OSVDB id, 1026869.
The following are some sample queries to illustrate this issue:
# ensure 2008-0550 is a CVE
mysql> select * from ext_reference_types where id=3;
+----+--------+
| id | name |
+----+--------+
| 3 | CVE ID |
+----+--------+
1 row in set (0.00 sec)
# find osvdb that relates to CVE 2008-0550
mysql> select id,vulnerability_id,ext_reference_type_id,value from
ext_references where value='2008-0550';
+--------+------------------+-----------------------+-----------+
| id | vulnerability_id | ext_reference_type_id | value |
+--------+------------------+-----------------------+-----------+
| 957122 | 1026869 | 3 | 2008-0550 |
+--------+------------------+-----------------------+-----------+
1 row in set (0.38 sec)
# ext_references points to non-existent osvdb id
mysql> select * from vulnerabilities where osvdb_id=1026869;
Empty set (0.09 sec)
# the real osvdb id that should relate to CVE 2008-0550
mysql> select osvdb_id,title from vulnerabilities where osvdb_id=42670;
+----------+----------------------------------------------------+
| osvdb_id | title |
+----------+----------------------------------------------------+
| 42670 | Streamcast HTTP Request Off-By-One Remote Overflow |
+----------+----------------------------------------------------+
1 row in set (0.26 sec)
More information about the Osvdb-discuss
mailing list