compute_content_id_v2 Produces Identical Hashes for Different Advisory IDs

[ziadhany]

vulnerablecode/vulnerabilities/utils.py

Line 690 in 7975a38

elif isinstance(advisory_data, AdvisoryDataV2):

The input for the compute_content_id_v2 function is aliases, summary, affected_packages, references, severities, weaknesses, and patches.

Let’s say we have two AdvisoryDataV2 obj with the same severities but different advisory_id values. Since we don’t have aliases and advisory_id is not part of compute_content_id_v2, it will produce the same hash, which leads to ignoring these vulnerabilities.

Suse Scores data example:

CVE-2022-50034:
  cvss:
    - version: 3.1
      score: 5.5
      vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-50035:
  cvss:
    - version: 3.1
      score: 5.5
      vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

yield AdvisoryDataV2(
    advisory_id="CVE-2022-50034",
    aliases=[],
    severities=severities,
    references=[],
    url=self.url,
)

[TG1999]

aliases is already a part of computation of content ID, also even if the content ID is same. We have a unique together on advisory ID, data source ID and content ID. So even if we have same content ID we should have stored all advisories distinctively ?