fix(redhat): parse package_state for unfixed vulns

[DmitriyLewen]

Description

RedHat uses affected_release and package_state for packages.
We currently only analyze the affected_release array.

That's why we only show fixed vulnerabilities (see aquasecurity/trivy#8337).

We need to analyze package_state to show unpatched vulnerabilities.

Example (https://avd.aquasec.com/nvd/2024/cve-2024-12705/):
Before:

After:

[DmitriyLewen]

@knqyf263 @simar7 @itaysk
I fixed problem with missed RedHat advisories.

But there is problem with columns.
It seems that current columns are not suitable for RedHat/Ubuntu advisories.
example:

Ubuntu (current logic):

RedHat from affected_release (current logic):

RedHat from package_state (logic from this PR):

I think we need to choose one logic for advisories now. And later, maybe think about changing the column names.
e.g.:
<pkg_name> - Ubuntu/RedHat - <os_release_name> - *
But for RedHat from affected_release it doesn't look very good, in my opinion.
The package name (with version) is more suitable for the start version column

I am open to suggestions 👍

[knqyf263]

Thanks @DmitriyLewen for investigation. Do we want to keep this section maintained in the first place? There are a lot of vendors. Even if we show Ubuntu and Red Hat for CVE-2024-12705, it won't be correct. All other vendors providing BIND9, such as Oracle, Debian, Alma Linux, Rocky Linux and Azure Linux, are probably affected.

[DmitriyLewen]

I'm not sure if it's worth removing redhat and ubuntu advisories:

• if we remove them, then only advisories for language files will remain and for many advisory pages will be "empty"
• I'd rather add these vendors (but then maybe some pages will be too big (if we don't change anything and just add them)) so that avd is more like nvd

[knqyf263]

if we remove them, then only advisories for language files will remain and for many advisory pages will be "empty"

I meant this section, "Affected Software". Does it look bad if we remove the section? The other sections, such as description and mitigation, will remain.

[simar7]

if we remove them, then only advisories for language files will remain and for many advisory pages will be "empty"

I meant this section, "Affected Software". Does it look bad if we remove the section? The other sections, such as description and mitigation, will remain.

I don't know if we can answer this question reliably without knowing how product uses this information (if at all). cc @itaysk

Personally, I would support removing this section as well because as @DmitriyLewen already pointed out this information isn't standardized across distros. It's quite possible that we would have to add others and they will not be a good match with existing columns.

It's also not quite reliable IMO as many times there's not enough information published by the vendor regarding start and end versions. In such a case we represent using * to imply all.

[DmitriyLewen]

I looked at the vulnerability pages again with a "fresh head".

You are probably right and this section should be removed because it rather raises more questions and confusion than provides information for users.

[knqyf263]

Actually, @simar7 is correct. We need to check with the product team. They might be using this section heavily.

Another option is to show only information from organizations that are not software vendors (e.g., NVD). NVD is supposed to show upstream software names (BIND9 in this example). However, NVD is now delayed and doesn't enrich vulnerabilities. If we really need to show affected software, we can take such information from vulnrichment maintained by CISA.
https://github.com/cisagov/vulnrichment/blob/dc7875187bd16d5239caba05f35436bfcc7becfc/2024/12xxx/CVE-2024-12705.json#L77