Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CPE data missing #77

Open
roman-mueller opened this issue Feb 5, 2024 · 5 comments
Open

CPE data missing #77

roman-mueller opened this issue Feb 5, 2024 · 5 comments
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.

Comments

@roman-mueller
Copy link

cvemap version:

v0.0.4

Current Behavior:

When querying for certain CPEs, no data is returned.

Expected Behavior:

Vulnerability data should be returned.

Steps To Reproduce:

As an example, run those queries:

cvemap -cpe 'cpe:2.3:a:apache:http_server:1.3.13:*:*:*:*:*:*:*'
cvemap -cpe 'cpe:2.3:a:apache:tomcat:8.5.62:*:*:*:*:*:*:*'
cvemap -cpe 'cpe:2.3:a:jquery:jquery:1.11.3:*:*:*:*:*:*:*'

Those will not return any data.
But those CPEs are correct, for example searching on the NIST site it will return 66 vulnerabilities (Apache/httpd): NIST
19 (Apache/Tomcat): NIST
And 4 (jQuery): NIST

The CVE IDs listed by NIST can be directly queried, for example cvemap -id CVE-2023-45802 does return as expected data.
But the CPE is not included in the JSON output.

Is there any reason these CPEs are missing?
Querying for specific versions would be my number one use-case.
@roman-mueller roman-mueller added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Feb 5, 2024
@ehsandeep
Copy link
Member

Hey @roman-mueller!

Thanks for creating this issue, it's known behavior as of now, currently CPE to CVE is mapped based on CPE information available as vulnerable CPE in CVE json block, we are in process of mapping CPE to CVE information separately for complete coverage as you pointed out.

@tenghaooo
Copy link

HI @ehsandeep

When I query
echo CVE-2019-1549 | cvemap -json

The output of "vulnerable_cpe" is just cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

But when I query CVE-2019-1549 on NIST
There are more matching CPEs(from 1.1.1 up to 1.1.1c), shows all vulnerable CPEs.

cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre7:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre8:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre9:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*

Is this the same issue?

@marcopedrinazzi
Copy link

Hi @ehsandeep ! How's the mapping process proceeding?

@effreetcoin
Copy link

any update on this ?

@effreetcoin
Copy link

i think there is a bug here , the cvemap don't care about the version! and this will generate a lot of false positive

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@roman-mueller @ehsandeep @marcopedrinazzi @tenghaooo @effreetcoin