TG1999
commented
1 year ago @tdruez We only ingest the CPEs as reference IDs that we directly get from the NVD API, we have cpe:2.3:a:3proxy:3proxy:*:*:*:*:*:*:*:* stored for this CVE-2019-14495.
Open tdruez opened 1 year ago
TG1999
commented
1 year ago @tdruez We only ingest the CPEs as reference IDs that we directly get from the NVD API, we have cpe:2.3:a:3proxy:3proxy:*:*:*:*:*:*:*:* stored for this CVE-2019-14495.
tdruez
commented
1 year ago Not returning any results when searching for a vulnerable CPE is a major problem imo. Searching on the NVD site does return a match.
pombredanne
commented
1 year ago The NVD does not seem to provide an API with actual affected version ranges or version enumerations for CPEs. This is only available on the web for instance https://nvd.nist.gov/vuln/detail/CVE-2019-14495/cpes?expandCpeRanges=true and I suspect this is computed on the fly by some unpublished/unknown closed code.
To resolve this issue we likely need to:
I've run the bulk_search on about 12k CPEs and only 5.3k were referenced in VulnerableCode.
For example:
cpe:2.3:a:3proxy:3proxy:0.8.11:*:*:*:*:*:*:*https://nvd.nist.gov/products/cpe/detail/A2EBD95B-59E5-4009-9450-13E71F8A305A?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3A3proxy%3A3proxy%3A0.8.11%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL%2CDEPRECATED
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3A3proxy%3A3proxy%3A0.8.11%3A*%3A*%3A*%3A*%3A*%3A*%3A*
/api/cpes?cpe=cpe:2.3:a:3proxy:3proxy:0.8.11:*:*:*:*:*:*:*-> 0 results / No vulnerability found.