todb-cisa
commented
2 months ago Thanks @jgamblin ! ACK'ed. I suspect there's some upstream pollution, but we'll check it out.
Closed jgamblin closed 1 month ago
todb-cisa
commented
2 months ago Thanks @jgamblin ! ACK'ed. I suspect there's some upstream pollution, but we'll check it out.
amanion-cisa
commented
2 months ago amanion-cisa
commented
1 month ago As best I understand, single hyphen '-' means "not applicable" which means... that there is not applicable version for an entry? I believe the short answer is to always use '*' (or '::') as a wildcard, unless there is some specific and correct reason to use '-'.
We should check upstream Microsoft CPE data. I've had at least one discussion with them about using '-'.
jgamblin
commented
1 month ago @amanion-cisa that is also my understanding of the correct way to use the -. Thanks for looking into it.
patrickmgarrity
commented
1 month ago Just came across a CVE w/ verion using "-" instead of "*" https://github.com/cisagov/vulnrichment/blob/386eaafcb58e104e148607377e8a9cec0e9de26c/2023/51xxx/CVE-2023-51365.json#L5
todb-cisa
commented
1 month ago In general, we should have fixed all the errant dashes-instead-of-stars, but there are a few (like the one @patrickmgarrity pointed out) that are actually in the NVD dictionary, and we're loathe to make edits here that conflict with that upsteam source.
Check it out: https://nvd.nist.gov/products/cpe
If you run across new ones, and they're not in the dictionary, then please open a new issue!
🐛 Summary
I am noticing a lot of dashes (-) in the generated CPE strings.
An example is is in CVE-2024-1347 with the CPE of
"cpe": "cpe:2.3:a:gitlab:gitlab:-:*:*:*:-:*:*:*". According to the CPE specification,The value NA binds to a single hyphen.(Specifation Page 20) which would mean the version doesn't matter and all versions are vulnerable.Expected behavior
The correct string for this CPE would be:
You could then infer the vulnerable versions from the affected version's data.