Hi, I noticed that debsecan is not reporting some CVEs. For example, https://security-tracker.debian.org/tracker/source-package/faad2 shows 10 vulnerabilities but debsecan reports 8. As far as I can tell, CVE-2021-32272 and CVE-2021-32273 are not associated with faad2 in the debsecan data.
I could be wrong, but I think they were being reported earlier this month so maybe the changes introduced with 1458892d and b7b3e59f are confusing the generator of the debsecan data. This is how I tested: # cat status Package: libfaad2 Priority: optional Status: install ok installed Section: libs Installed-Size: 529 Maintainer: Debian Multimedia Maintainers <[email protected]> Architecture: amd64 Source: faad2 Version: 2.8.8-3 Replaces: libfaad2-0 Depends: libc6 (>= 2.14) Conflicts: libfaad2-0 # debsecan --status=status CVE-2018-20196 libfaad2 (low urgency) CVE-2018-20199 libfaad2 (low urgency) CVE-2018-20360 libfaad2 (low urgency) CVE-2019-6956 libfaad2 CVE-2021-32274 libfaad2 CVE-2021-32276 libfaad2 CVE-2021-32277 libfaad2 CVE-2021-32278 libfaad2
