Skip to content

Clarification on difference between CVE and DEBIAN-CVE records in OSV #5616

Description

@SURENKUMAR-0212

Hi OSV team,

I noticed that OSV contains two types of CVE-related vulnerability records:

  • CVE-*
  • DEBIAN-CVE-*

Could you please clarify the difference between these?

My understanding:

  • CVE-* represents the general vulnerability record.
  • DEBIAN-CVE-* represents Debian-specific vulnerability data from the Debian Security Tracker, including Debian package affected versions and fixes.

Questions:

  1. Should CVE-* and DEBIAN-CVE-* be considered the same vulnerability from different sources?
  2. How should consumers handle duplicates when both are returned by OSV?
  3. For Debian packages, should DEBIAN-CVE-* be preferred over the generic CVE-*?

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    data qualityIssues with data quality

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions