DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Handling of - (NA) in CPE

Open OrangeDog opened this issue 1 year ago • 2 comments
trafficstars

Describe the bug The value of - for a CPE field is supposed to mean "NA" but it is not apparent how that should be handled differently to "ANY".

I have noticed it being used for the version in CVE-2024-1459, as cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*, causing that to not be detected at all.

Version of dependency-check used Maven plugin 9.0.9

To Reproduce

<dependency>
  <groupId>io.undertow</groupId>
  <artifactId>undertow-core</artifactId>
  <version>2.3.12.Final</version>
</dependency>

Expected behavior I guess this should be a match, as the CVE description seems to indicate it applies to all versions (currently).

OrangeDog avatar Mar 01 '24 12:03 OrangeDog

I wonder if this bug is now located in https://github.com/stevespringett/CPE-Parser

I'll have to do some testing.

jeremylong avatar Apr 15 '24 09:04 jeremylong

Just to note that example CVE is actually fixed in 2.3.12.Final, but I don't think any data sources have been updated to reflect that (they hadn't when I filed this). Testing with 2.3.11 may be a more reliable reproduction.

OrangeDog avatar Apr 15 '24 09:04 OrangeDog