While this is arguably an NVD data error (this should probably be linux, not linux_kernel), this is also an avoidable case. EMBA seems to look for product:version and product:* anywhere in the string. In the above case, there was no start/end version, only a single product version in the cpe string itself, 3.2, for product bizsearch. However, EMBA sees linux_kernel:* and will happily match any detected kernel version in a firmware image. Had there been start/end versions, they would probably have been applied to match linux_kernel version, incorrectly.
In theory, this could happen with other "products" than linux_kernel, but this is probably one of the few that happen to appear in the cpe string past the actual product field.
To Reproduce
Steps to reproduce the behavior:
EMBA installation: default mode
Use the firmware available here: any firmware with a detected Linux kernel will do (sorry I can't share the few I'm working on)
Start EMBA with the following parameters: sudo ./emba -p ./scan-profiles/default-scan.emba -l output/path -f firmwage/image/file
additional steps: wait for analysis to complete, look at reported kernel CVEs
See error
Expected behavior
Product name should match the product field of cpe strings, not any other. Unrelated CVEs should not be reported for a given product such as linux_kernel.
Screenshots
None
Desktop
OS: dedicated Ubuntu 22.04 VM
EMBA version: current master branch, commit c98898e6 from March 5
Installation method: default with up to date docker image (pulled on March 5)
Describe the bug
linux_kernel
is associated with more CVEs than it should.Some cpe strings in NVD json files have
linux_kernel:*
value for "target software : target hardware" fields. For example:cpe:2.3:a:accelatech:bizsearch:3.2:-:*:*:*:linux_kernel:*:*
While this is arguably an NVD data error (this should probably be
linux
, notlinux_kernel
), this is also an avoidable case. EMBA seems to look forproduct:version
andproduct:*
anywhere in the string. In the above case, there was no start/end version, only a single product version in the cpe string itself,3.2
, for productbizsearch
. However, EMBA seeslinux_kernel:*
and will happily match any detected kernel version in a firmware image. Had there been start/end versions, they would probably have been applied to matchlinux_kernel
version, incorrectly.Examples of incorrectly matched CVEs:
In theory, this could happen with other "products" than
linux_kernel
, but this is probably one of the few that happen to appear in the cpe string past the actual product field.To Reproduce Steps to reproduce the behavior:
sudo ./emba -p ./scan-profiles/default-scan.emba -l output/path -f firmwage/image/file
Expected behavior Product name should match the
product
field of cpe strings, not any other. Unrelated CVEs should not be reported for a given product such aslinux_kernel
.Screenshots None
Desktop
Priority issue Are you already a [Sponsor]? N
Additional context None