Closed prabhu closed 1 month ago
Possible there are more instances.
Here for example, the vendor used is aio-libs_project
, while NVD has aiohttp
. https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=aiohttp
Thanks so much, @prabhu!
Some explanation, which may or may not address the specific instances you noticed (which we will review!).
CPE strings must match NVD, where possible.
Yes, and this is how the process is designed to work. And...
There is the official NVD CPE Dictionary. First choice. However, even that has matching issues, for example, some xpdf entries use xpdfreader
as the vendor.
Next, there are a number (84K+) of CPE entries in NVD data that are not in the Dictionary (1.2M+). Second choice (use something that exists).
Last choice is to create new CPE. In this sense, we're following the CPE specification, but publishing CPE-compliant data does not get it added to the Dictionary.
Let's be clear, CPE is an attempt to address the wicked problem that is consistently naming all the software. Neither the CPE specification nor existing CPE data can do this, but it's a start, and an existing data set (or sets). There will be errors, and part of this process is to evaluate how CPE or other software identification systems work in practice.
Thank you for reviewing this issue. From an ADP consumer point of view, 1 and 2 are straight forward. For 3, where a CPE was made up, is there a way to capture this information in the json, to inform the downstream tools?
May be this project would benefit from the new IDs supported by CVE schema 5.1 in the future, so perhaps a roadmap for update could be proposed.
I was randomly browsing the repo and noticed that the CPE information for 2024/34xxx/CVE-2024-34342.json is incorrect. I don't think https://github.com/wojtekmaj/react-pdf is the same as cpe:2.3:a:pdf.js_viewer_project:pdf.js_viewer::::::wordpress::*.
Also for 2024/34xxx/CVE-2024-34408.json I don't think the CPE should be cpe:2.3:a:tencent:tencent:5.8.2.5300:::::windows::.
FYI
@serkanozkanssc would you mind opening this as a separate issue?
Actually, having talked about this, I think we need a strategy for a) picking between close but ambiguous CPEs (lol that those exist) and b) taking feedback on evidence-based reasoning as to why the original CPE was incorrect.
In the meantime, this particular XPDF things was updated.
🐛 Summary
Vendor string used for this xpdf CVE is
xpdf
.https://github.com/cisagov/vulnrichment/blob/develop/2024/4xxx/CVE-2024-4568.json#L136
NVD, however uses
glyphandcog
as the vendor, similar totukaani
for xz.https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=xpdf
Expected behavior
CPE strings must match NVD, where possible.
Any helpful log output or screenshots
Paste the results here:
Add any screenshots of the problem here.