Inconsistent data between security tracker and debsecan

To: "debian-security-tracker@lists.debian.org" <debian-security-tracker@lists.debian.org>
Subject: Inconsistent data between security tracker and debsecan
From: "Dalamagkidis, Konstantinos" <konstantinos.dalamagkidis@siemens.com>
Date: Wed, 27 Oct 2021 07:00:43 +0000
Message-id: <[🔎] AM9PR10MB5034A0E3319B7DFFC53BB1BFE3859@AM9PR10MB5034.EURPRD10.PROD.OUTLOOK.COM>

Hi,

I noticed that debsecan is not reporting some CVEs. For example, https://security-tracker.debian.org/tracker/source-package/faad2 shows 10 vulnerabilities but debsecan reports 8. As far as I can tell, CVE-2021-32272 and CVE-2021-32273 are not associated with faad2 in the debsecan data.

I could be wrong, but I think they were being reported earlier this month so maybe the changes introduced with 1458892d and b7b3e59f are confusing the generator of the debsecan data.

This is how I tested:

# cat status 
Package: libfaad2
Priority: optional
Status: install ok installed
Section: libs
Installed-Size: 529
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Architecture: amd64
Source: faad2
Version: 2.8.8-3
Replaces: libfaad2-0
Depends: libc6 (>= 2.14)
Conflicts: libfaad2-0

# debsecan --status=status 
CVE-2018-20196 libfaad2 (low urgency)
CVE-2018-20199 libfaad2 (low urgency)
CVE-2018-20360 libfaad2 (low urgency)
CVE-2019-6956 libfaad2
CVE-2021-32274 libfaad2
CVE-2021-32276 libfaad2
CVE-2021-32277 libfaad2
CVE-2021-32278 libfaad2

Reply to:

Prev by Date: External check
Next by Date: External check
Previous by thread: Sources for CVE-2021-30573
Next by thread: Processed: Re: Track renames of source packages
Index(es):
- Date
- Thread