Dedupe CSAF Vulnerability IDs about dep-scan HOT 5 CLOSED

@prabhu Here's an overview of the part of the document I am referring to from oasis.

from dep-scan.

How do other vendors handle this scenario? Any examples we can find from providers such as redhat?

from dep-scan.

@prabhu I'm afraid I don't know how vendors handle this - according to the generator section, Red Hat's CSAFs are produced using the Red Hat SDEngine, but I don't know any details.

The CSAF 2.0 schema is clear that it must be unique entries and there isn't any reason to store the exact same thing twice for the same vulnerability anyway. It doesn't have to be unique across the whole document, just in the ids attached per vulnerability. There's really only two ways to deal with this issue - either prevent duplicate IDs from being generated in the first place from the reference list, or remove them afterwards. The latter is quicker.

Here's Red Hat's Issues in SDEngine's CSAF implementation of advisories issue tracker

from dep-scan.

Does this tool help? Perhaps the product tree is used to link to all products that are related to the given vulnerability?

https://secvisogram.github.io/?tab=EDITOR

from dep-scan.

@prabhu This is unrelated to the product tree. The entries duplicated are in vulnerabilities, and their only fields are system_name and text - for the system that created the id, and the id itself, respectively. You can look at the test for format_references in test_csaf.py for examples of what this data looks like.

from dep-scan.