Currently for debian vulnerability data, we are missing to store all the affected/resolved version for each of the various distro "releases".
Example:
Following is the JSON snippet taken from debian security tracker:
{"mimetex": {
"CVE-2009-2458": {
"scope": "remote",
"debianbug": 537254,
"description": "Multiple stack-based buffer overflows in mimetex.cgi in mimeTeX",
"releases":
{"stretch":
{"status": "resolved",
"repositories": {"stretch": "1.74-1"},
"urgency": "medium",
"fixed_version": "1.50-1.1"},
"jessie":
{"status": "resolved",
"repositories": {"jessie": "1.74-1"},
"urgency": "medium",
"fixed_version": "1.50-1.1"},
"buster":
{"status": "resolved",
"repositories": {"buster": "1.74-1"},
"urgency": "medium",
"fixed_version": "1.50-1.1"},
"wheezy":
{"status": "resolved",
"repositories": {"wheezy": "1.73-2"},
"urgency": "medium",
"fixed_version": "1.50-1.1"},
"sid":
{"status": "resolved",
"repositories": {"sid": "1.74-1"},
"urgency": "medium",
"fixed_version": "1.50-1.1"}}},
"CVE-2009-2459":
{"scope": "un-remote",
"debianbug": 537254,
"description": "Multiple unspecified vulnerabilities in mimeTeX.",
"releases":
{"stretch":
{"status": "resolved",
"repositories": {"stretch": "1.74-1"},
"urgency": "medium",
"fixed_version": "1.50-1.1"},
"jessie":
{"status": "not-resolved",
"repositories": {"jessie": "1.74-1"},
"urgency": "medium",
"fixed_version": "1.50-1.1"},
"buster":
{"status": "resolved",
"repositories": {"buster": "1.74-1"},
"urgency": "medium",
"fixed_version": "1.50-1.1"},
"wheezy":
{"status": "resolved",
"repositories": {"wheezy": "1.73-2"},
"urgency": "medium",
"fixed_version": "1.50-1.1"},
"sid":
{"status": "resolved",
"repositories": {"sid": "1.74-1"},
"urgency": "medium",
"fixed_version": "1.50-1.1"}}}}
[
{
'fixed_version': '1.50-1.1',
'package_name': 'mimetex',
'status': 'resolved',
'urgency': 'medium',
'vulnerability_id': 'CVE-2009-2458',
'description': 'Multiple stack-based buffer overflows in mimetex.cgi in mimeTeX'
},
{
'fixed_version': '1.50-1.1',
'package_name': 'mimetex',
'status': 'not-resolved',
'urgency': 'medium',
'vulnerability_id': 'CVE-2009-2459',
'description': 'Multiple unspecified vulnerabilities in mimeTeX.'
}
]
As we can see clearly it is missing to store all the affected/resolved version for each of the various distro "releases".