Open roman-mueller opened 5 months ago
ehsandeep
commented
5 months ago Hey @roman-mueller!
Thanks for creating this issue, it's known behavior as of now, currently CPE to CVE is mapped based on CPE information available as vulnerable CPE in CVE json block, we are in process of mapping CPE to CVE information separately for complete coverage as you pointed out.
tenghaooo
commented
1 month ago HI @ehsandeep
When I query
echo CVE-2019-1549 | cvemap -json
The output of "vulnerable_cpe" is just cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
But when I query CVE-2019-1549 on NIST There are more matching CPEs(from 1.1.1 up to 1.1.1c), shows all vulnerable CPEs.
cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre7:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre8:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre9:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*Is this the same issue?
cvemap version:
v0.0.4
Current Behavior:
When querying for certain CPEs, no data is returned.
Expected Behavior:
Vulnerability data should be returned.
Steps To Reproduce:
As an example, run those queries:
Those will not return any data. But those CPEs are correct, for example searching on the NIST site it will return 66 vulnerabilities (Apache/httpd): NIST 19 (Apache/Tomcat): NIST And 4 (jQuery): NIST
The CVE IDs listed by NIST can be directly queried, for example
cvemap -id CVE-2023-45802does return as expected data. But the CPE is not included in the JSON output.Is there any reason these CPEs are missing? Querying for specific versions would be my number one use-case.