Hi OSV team,
I noticed that OSV contains two types of CVE-related vulnerability records:
Could you please clarify the difference between these?
My understanding:
CVE-* represents the general vulnerability record.
DEBIAN-CVE-* represents Debian-specific vulnerability data from the Debian Security Tracker, including Debian package affected versions and fixes.
Questions:
- Should
CVE-* and DEBIAN-CVE-* be considered the same vulnerability from different sources?
- How should consumers handle duplicates when both are returned by OSV?
- For Debian packages, should
DEBIAN-CVE-* be preferred over the generic CVE-*?
Thanks!
Hi OSV team,
I noticed that OSV contains two types of CVE-related vulnerability records:
CVE-*DEBIAN-CVE-*Could you please clarify the difference between these?
My understanding:
CVE-*represents the general vulnerability record.DEBIAN-CVE-*represents Debian-specific vulnerability data from the Debian Security Tracker, including Debian package affected versions and fixes.Questions:
CVE-*andDEBIAN-CVE-*be considered the same vulnerability from different sources?DEBIAN-CVE-*be preferred over the genericCVE-*?Thanks!