search

projectdiscovery / cvemap

Navigate the CVE jungle with ease.
MIT License
1.77k stars 116 forks source link

CPE data missing #77

Open roman-mueller opened 9 months ago

roman-mueller commented 9 months ago

cvemap version:

v0.0.4

Current Behavior:

When querying for certain CPEs, no data is returned.

Expected Behavior:

Vulnerability data should be returned.

Steps To Reproduce:

As an example, run those queries:

cvemap -cpe 'cpe:2.3:a:apache:http_server:1.3.13:*:*:*:*:*:*:*'
cvemap -cpe 'cpe:2.3:a:apache:tomcat:8.5.62:*:*:*:*:*:*:*'
cvemap -cpe 'cpe:2.3:a:jquery:jquery:1.11.3:*:*:*:*:*:*:*'

Those will not return any data. But those CPEs are correct, for example searching on the NIST site it will return 66 vulnerabilities (Apache/httpd): NIST 19 (Apache/Tomcat): NIST And 4 (jQuery): NIST

The CVE IDs listed by NIST can be directly queried, for example cvemap -id CVE-2023-45802 does return as expected data. But the CPE is not included in the JSON output.

Is there any reason these CPEs are missing? Querying for specific versions would be my number one use-case.

ehsandeep commented 9 months ago

Hey @roman-mueller!

Thanks for creating this issue, it's known behavior as of now, currently CPE to CVE is mapped based on CPE information available as vulnerable CPE in CVE json block, we are in process of mapping CPE to CVE information separately for complete coverage as you pointed out.

tenghaooo commented 5 months ago

HI @ehsandeep

When I query echo CVE-2019-1549 | cvemap -json

The output of "vulnerable_cpe" is just cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

But when I query CVE-2019-1549 on NIST There are more matching CPEs(from 1.1.1 up to 1.1.1c), shows all vulnerable CPEs.

cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre7:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre8:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre9:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*

Is this the same issue?

marcopedrinazzi commented 3 months ago

Hi @ehsandeep ! How's the mapping process proceeding?

effreetcoin commented 1 month ago

any update on this ?

effreetcoin commented 1 month ago

i think there is a bug here , the cvemap don't care about the version! and this will generate a lot of false positive