Covering Linux related vulnerability data introduces additional challenges as there are many different distributions, packages, and maintainers. We use different approaches to assign such entries depending on the maintainer and/or affected component.
- If a Linux vulnerability is generic, then it is assigned to Linux Kernel as product.
- If a Linux vulnerability affects a specific distribution only, we assign it to the distribution (and not to the generic Linux Kernel). For example Red Hat Enterprise Linux or Debian Linux entries.
- If a Linux vulnerability affects specific architectures (e.g. x86, x64), the entry uses the field
software_platformaccordingly. ID 150513 for example.
- If a package is affected in general, we assign it to the specific package. sudo for example.
- If a package is maintained by a specific Linux distribution, we assign the distribution name to the field
software_vendorand the affected package to the field
software_name. ID 109304 for example.
- If a package on a certain distribution is affected but not maintained by the distribution itself, we assign it to the specific package but define the field
software_platformaccordingly (e.g. ISC BIND on Red Hat). ID 100949 for example.
- If a package affects multiple distributions but not all of them, we assign it to the specific package and add the affected distributions to the field
software_affectedlist. ID 67685 for example.
Do you need the next level of professionalism?
Upgrade your account now!