Not all CVEs listed for Linux Kernel

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

https://dependencytrack.org/

Apache License 2.0

2.72k stars 580 forks source link

Not all CVEs listed for Linux Kernel #1894

Open lauclld opened 2 years ago

lauclld commented 2 years ago

Current Behavior:

I've been running Dependency-Track v4.5.0 and as a follow-up of https://github.com/DependencyTrack/dependency-track/issues/416, I've added this same component to my project and it still does not find all CVEs (41 only where NIST lists 1'825).

Steps to Reproduce:

Enter Linux Kernel component with CPE: cpe:2.3:o:linux:linux_kernel:4.4.6:::::::*

41 CVEs listed:

Expected Behavior:

Number of CVEs reported should be 1'825 (see https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&isCpeNameSearch=true&seach_type=all&query=cpe:2.3:o:linux:linux_kernel:4.4.6:::::::*)

Environment:

Dependency-Track Version: 4.5.0
Distribution: Docker
BOM Format & Version: N/A
Database Server: default (as per docker image)
Browser: Chrome

Additional Details:

N/A

jerrylogansquare commented 2 years ago

Our DT 4.5 comes up with 486 vulns, but NVD shows 1195 Also saw same on DT 4.6.2

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&isCpeNameSearch=true&seach_type=all&query=cpe:2.3:o:linux:linux_kernel:5.4.154:::::::*

JN-CSIRT commented 1 year ago

Is there some news? We have same issue: Linux Kernel 5.10.41 - cpe:2.3:o:linux:linux_kernel:5.10.41::::::: DT (version 4.6.2) shows 377 CVEs only instead of 1017 by NVD: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=cpe%3A2.3%3Ao%3Alinux%3Alinux_kernel%3A5.10.41%3A%3A%3A%3A%3A%3A%3A&search_type=all&isCpeNameSearch=true

nscuro commented 1 year ago

A large chunk of the discrepancies is likely to stem from how the NVD search works.

Cross-posting from https://github.com/DependencyTrack/dependency-track/pull/1929#issuecomment-1743579226:

Looking at cpe:2.3:o:linux:linux_kernel:5.15.71:*:*:*:*:*:*:* (from https://github.com/DependencyTrack/dependency-track/issues/2580#issuecomment-1691334865), the NVD does report significantly more CVEs (835 vs. 405 reported by DT).

However, the NVD search results include CVEs where the Linux Kernel is merely mentioned as "Running On" configuration, and the vulnerable components is completely different:

https://nvd.nist.gov/vuln/detail/CVE-2016-8963

I'd argue that DT is doing the right thing in not reporting those.

Jasper-Ben commented 1 year ago

Can we re-evaluate this issue, once 4.10.0 is released?

This release will contain https://github.com/DependencyTrack/dependency-track/pull/3209, as well as https://github.com/DependencyTrack/dependency-track/pull/3070 which should drastically improve CPE matching