Curious how to consider purl <-> Vulnerability associations with arch=source qualifiers

[alistair-mclean]

Hello 👋

I have a few questions regarding purl structures, and how they relate to their affected vulnerabilities.

In using your dataset, I've noticed most of the purl associations are tied to purls containing arch=source qualifiers.

To my understanding, this means the package is uncompiled.

1. Would this mean that a compiled version of a package that is considered affected by a vulnerability, would not be affected if it is compiled? I presume architecture specific compilations may or may not cause a package to be applicable to a given vulnerability.

2. Why is it that nearly all of the packages that are affected are arch=source packages?

3. How are these arch=source associations determined? For example, CVE-2002-2443 considers the package krb5 affected using the purl: pkg:deb/ubuntu/[email protected]+dfsg-3ubuntu2?arch=source&distro=trusty. That purl contains the fixed version, and in the entry for UBUNTU-CVE-2002-2443.json the affected version is 1.10.1+dfsg-6.1ubuntu1.

Thanks in advance!

[another-rex]

The arch=source just means the package.name and version refers to the source package, not the binary package. Let's take curl for example: https://launchpad.net/ubuntu/+source/curl this is the link to the source package, and you can see multiple binary packages (what you install with apt install listed under it (curl, curl-dbgsym, libcurl4-openssl-dev...). And looking at a OSV entry: https://osv.dev/vulnerability/USN-5495-2, the package name there refers to the source. For Ubuntu advisories, the database specific field lists the binary packages.

1. No, it means all architectures it compiles to are affected. We generally don't have architecture specific advisory records.
2. Because most vulnerabilities are not architecture specific
3. Answered above I believe.

Let us know if you have any further questions!

[alistair-mclean]

Thank you! This is very helpful 😄