Open tdruez opened 1 year ago
@tdruez We only ingest the CPEs as reference IDs that we directly get from the NVD API, we have cpe:2.3:a:3proxy:3proxy:*:*:*:*:*:*:*:*
stored for this CVE-2019-14495
.
Not returning any results when searching for a vulnerable CPE is a major problem imo. Searching on the NVD site does return a match.
The NVD does not seem to provide an API with actual affected version ranges or version enumerations for CPEs. This is only available on the web for instance https://nvd.nist.gov/vuln/detail/CVE-2019-14495/cpes?expandCpeRanges=true and I suspect this is computed on the fly by some unpublished/unknown closed code.
To resolve this issue we likely need to:
I've run the bulk_search on about 12k CPEs and only 5.3k were referenced in VulnerableCode.
For example:
cpe:2.3:a:3proxy:3proxy:0.8.11:*:*:*:*:*:*:*
https://nvd.nist.gov/products/cpe/detail/A2EBD95B-59E5-4009-9450-13E71F8A305A?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3A3proxy%3A3proxy%3A0.8.11%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3A3proxy%3A3proxy%3A0.8.11%3A*%3A*%3A*%3A*%3A*%3A*%3A*
/api/cpes?cpe=cpe:2.3:a:3proxy:3proxy:0.8.11:*:*:*:*:*:*:*
-> 0 results / No vulnerability found.