randombit
commented
3 months ago I'm not really familiar with CPE but what you have set seems correct. AFAICT previous CVE assignments (made by MITRE) used botan_project:botan. The most recent batch of CVEs were set by Github and apparently did not set the CPE. I'll check with GH if there is a way to set the CPE. Otherwise I guess I'll have to get future CVEs from MITRE, which is a shame since the GH CVE request process is pretty smooth.
Hello,
we have been sitting on an old Version (2.19.4) of botan in our project. We trusted, that our platform 'dependency-track' will provide us with any news, if a CVE had been found. Unfortnuatley the rectend CVEs did not provide any CPE, so our tool could not link the recent CVEs to the botan dependency. We were using cpe:2.3:a:botan_project:botan:2.19.4::::::: (but it might better be cpe:2.3:a:randombit:botan:2.19.4:::::::?) as CPE in our BOM files.
The CVEs in Question are: CVE-2024-34702 and CVE-2024-39312
Would it be possible to provide CPEs for any valid CVE in the future? And if so, is the CPE we have set ok? And, is this something you should pay attention to, or is this someones else job? To be honest, I have no idea how the CVE process works.