Incorrect CPE generated for Debian package

[37b]

Description

The CPE for a Debian package should be cpe:2.3:a:debian:dpkg:1.20.9:*:*:*:*:*:*:* but Trivy reports it as cpe:2.3:a:dpkg:dpkg:1.20.9:*:*:*:*:*:*:*

What did you expect to happen?

The correct CPE cpe:2.3:a:debian:dpkg:1.20.9:*:*:*:*:*:*:*

What happened instead?

The incorrect CPE was generated cpe:2.3:a:dpkg:dpkg:1.20.9:*:*:*:*:*:*:*

[afdesk]

@37b thanks for your report. I'll try to clarify this issue

[afdesk]

@37b could you tell me there are any images for tests?

[37b]

@afdesk There's no pre-built image for the project, but the code is here https://github.com/DefectDojo/django-DefectDojo

[afdesk]

@37b thanks! i can see that this project uses python:3.8.13-slim. it depends on debian 11.4, right?

which format is sensitive for you? i mean where do you see incorrect outpur: cpe:2.3:a:dpkg:dpkg:1.20.9:*:*:*:*:*:*:*?

thanks a lot!

[37b]

@afdesk According to the spec (from Wikipedia, I am not an expert)

cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>

the first dpkg entry should be the vendor, in this case debian

[afdesk]

@37b sorry, I meant where do you see this CPE string? how can i reproduce it? thanks

[afdesk]

@37b sorry, i missed your issue. It seems I asked a weird question.

Trivy depends on several data sources, and it doesn't generate CPE strings. I'd like to figure out where it came from.

so could you confirm that this issue is still appears and where/when Trivy shows the incorrect CPE string?

thanks a lot

[knqyf263]

Trivy doesn't generate CPE as of today.