stevespringett
commented
2 years ago The last time I checked, the NVD returned results for CPEs that are also affected by other CPEs. Dependency-Track does not do this. It only returns the results for the actual thing the CPE describes.
CVE-2007-0712 should be imported by DT just fine. While CVE-2007-0712 doesn't have a CVSSv3 score, it does have a CVSSv2 score, which is what DT falls back on if v3 isn't available. The only CVEs that DT likely will not import are those marked as 'reserved'.
how can we see all the cves associated to cpe?
There isn't a direct way to do this in DT. But you can add the component and specify a specific CPE and look at the vulnerabilities that were identified for the component.
If you find a specific CVE that is directly a result of cpe:2.3:o:apple:mac_os_x:10.5.6:::::::* that isn't showing up in DT, please let me know. Without specifics, its hard to determine if there's a specific issue or not.
We are evaluating DTrack and found a discrepancy in vulnerabilities returned for cpe:2.3:o:apple:mac_os_x:10.5.6:::::::* dtrack is returning 1,896 vulnerabilities while nvd shows 1,998 vulns. I have identified a couple of cvs which are missing in dtrack are showing they are MODIFIED and waiting reanalysis e.g. CVE-2007-0712. There are 2 questions about that 1) is MODIFIED and waiting reanalysis is the reason of missing cve for above mentioned cve? 2) is there any other reason of missing cves? 3) how can we see all the cves associated to cpe?