From baa0e897b2bb605d33098f421311eccdfea6fb85 Mon Sep 17 00:00:00 2001
From: Kota Kanbe <kotakanbe@gmail.com>
Date: Mon, 26 Mar 2018 22:29:14 +0900
Subject: [PATCH] fix: a bug of diff logic when multiple oval defs found for a
 certain CVE-ID and same updated_at (#627)

* fix: a bug of diff logic when multiple oval-defs hav certain CVE-ID and same updated_at

Commented out beause a bug of diff logic when multiple oval defs has certain CVE-ID and same updated_at.
If these OVAL defs have different affected packages, this logic detects not-updated-CVE-ID as updated.
This logic will be uncommented after integration with ghost https://github.com/knqyf263/gost
---
 report/util.go      | 11 ++++++++---
 scan/debian_test.go | 16 ++++++++--------
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/report/util.go b/report/util.go
index 1dfa27b9..81c35f05 100644
--- a/report/util.go
+++ b/report/util.go
@@ -347,9 +347,14 @@ func getDiffCves(previous, current models.ScanResult) models.VulnInfos {
 			if isCveInfoUpdated(v.CveID, previous, current) {
 				updated[v.CveID] = v
 				util.Log.Debugf("updated: %s", v.CveID)
-			} else if isCveFixed(v, previous) {
-				updated[v.CveID] = v
-				util.Log.Debugf("fixed: %s", v.CveID)
+
+				// TODO commented out beause  a bug of diff logic when multiple oval defs found for a certain CVE-ID and same updated_at
+				// if these OVAL defs have different affected packages, this logic detects as updated.
+				// This logic will be uncommented after integration with ghost https://github.com/knqyf263/gost
+				// } else if isCveFixed(v, previous) {
+				// updated[v.CveID] = v
+				// util.Log.Debugf("fixed: %s", v.CveID)
+
 			} else {
 				util.Log.Debugf("same: %s", v.CveID)
 			}
diff --git a/scan/debian_test.go b/scan/debian_test.go
index aeab1269..02384125 100644
--- a/scan/debian_test.go
+++ b/scan/debian_test.go
@@ -160,10 +160,10 @@ systemd (228-5) unstable; urgency=medium`,
 		 util-linux (2.27-3ubuntu1) xenial; urgency=medium`,
 			},
 			[]DetectedCveID{
-				// {"CVE-2015-2325", models.ChangelogLenientMatch},
-				// {"CVE-2015-2326", models.ChangelogLenientMatch},
-				// {"CVE-2015-3210", models.ChangelogLenientMatch},
-				// {"CVE-2016-1000000", models.ChangelogLenientMatch},
+			// {"CVE-2015-2325", models.ChangelogLenientMatch},
+			// {"CVE-2015-2326", models.ChangelogLenientMatch},
+			// {"CVE-2015-3210", models.ChangelogLenientMatch},
+			// {"CVE-2016-1000000", models.ChangelogLenientMatch},
 			},
 			models.Changelog{
 				// Contents: `util-linux (2.27.1-3ubuntu1) xenial; urgency=medium
@@ -196,10 +196,10 @@ systemd (228-5) unstable; urgency=medium`,
 		 util-linux (2.27-3) xenial; urgency=medium`,
 			},
 			[]DetectedCveID{
-				// {"CVE-2015-2325", models.ChangelogLenientMatch},
-				// {"CVE-2015-2326", models.ChangelogLenientMatch},
-				// {"CVE-2015-3210", models.ChangelogLenientMatch},
-				// {"CVE-2016-1000000", models.ChangelogLenientMatch},
+			// {"CVE-2015-2325", models.ChangelogLenientMatch},
+			// {"CVE-2015-2326", models.ChangelogLenientMatch},
+			// {"CVE-2015-3210", models.ChangelogLenientMatch},
+			// {"CVE-2016-1000000", models.ChangelogLenientMatch},
 			},
 			models.Changelog{
 				// Contents: `util-linux (2.27.1-3ubuntu1) xenial; urgency=medium