Issues reported are for when something is published, not when patches were released

[wdormann]

As an example, CVE-2022-30190 was patched in June 2022.
However, running patch_review.py 2022-jun will report no mention of it. Why?
Well, MSRC lists "it" as being released in May rather than June. "It" being something said about the vulnerability, not the updates themselves.

I suspect that users of patch_review.py may expect the tool to list what updates are released in the specified month. Not what bulletins.

[tmlgcq]

The issue seems to be related to the MSRC API and the nature of the information contained therein. The script patch_review.py pulls data from the API, which may not align perfectly with the patch release dates.

In the case of CVE-2022-30190, it seems that the vulnerability was disclosed or reported in May, but the patch was not released until June. The MSRC data, and therefore the patch_review.py script, appears to track the disclosure dates rather than the patch release dates. I agree this discrepancy would confuse users expecting to see patch release dates.

To address this issue, the script would need to pull data from a source that accurately tracks patch release dates.

Another possibility might be to modify the script to pull data for a range of months rather than a specific month to ensure that all relevant patches are included. For example, if you're looking at June, you might pull data for May, June, and July. This is not a perfect solution, as it could include some patches that weren't released in June, but it would help ensure you're not missing any patches.

If you haven't already, you might look at the MS Powershell module, which already seems to have some of your desired functionality. https://github.com/Microsoft/MSRC-Microsoft-Security-Updates-API/blob/main/src/README.md