stevespringett
commented
2 years ago You're describing a common (and known) issue with CPE, which are typically only created when the first vulnerability is identified for software/hardware. If a specific software/hardware does not yet have a vulnerability, it will typically not have a CPE. Therefore, it is not possible to proactively monitor components for vulnerabilities. This chicken/egg issue is widely known and is one of the primary reasons the NVD has deprecated CPE. However, SWID (the proposed CPE replacement) has not yet been operationalized in the NVD and is specific to software, so likely unable to work for hardware use cases.
As long as the NVD continues to only support CPE, it will be difficult to monitor components for vulnerabilities that do not already have a CPE. IMO, if the NVD is to remain relevant, they need to support Package URL (purl), SWID, CPE, along with GS1 identifiers commonly used for physical devices. My recommendation would be to provide that feedback to the NVD.
The enhancement may already be reported! Please search for the enhancement before creating one.
Current Behavior:
We need to enter the complete CPE id (cpe:2.3:h-------) to get the CVEs reported against a particular hardware component. This is the case with components with affected configuration has only hardware in it (only cpe:2.3:h). e.g. https://nvd.nist.gov/vuln/detail/CVE-2017-5754, CPE id: cpe:2.3:h:intel:atom_c:c2308:::::::*
Proposed Behavior:
Currently DT is unable to track future CVEs on hardware components which may reported if there is no CPE id assigned already. This is the case with hardware components which doesn't have any CVEs reported yet.
e.g. Adding a hardware component say 'stm32l5' or 'stm32U5' which doesn't have any CVEs reported yet. How to add this component into DT if we don't know the CPE.