vulnrichment
vulnrichment copied to clipboard
cisagov
Dashes ( - ) in Generated CPE strings
🐛 Summary
I am noticing a lot of dashes (-) in the generated CPE strings.
An example is is in CVE-2024-1347 with the CPE of "cpe": "cpe:2.3:a:gitlab:gitlab:-:*:*:*:-:*:*:*".
According to the CPE specification, The value NA binds to a single hyphen. (Specifation Page 20) which would mean the version doesn't matter and all versions are vulnerable.
Expected behavior
The correct string for this CPE would be:
"cpe": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*",
"vendor": "gitlab",
"product": "gitlab",
"versions": [
{
"status": "affected",
"version": "16.11"
}
],
"defaultStatus": "unknown"
},
You could then infer the vulnerable versions from the affected version's data.
Thanks @jgamblin ! ACK'ed. I suspect there's some upstream pollution, but we'll check it out.
See also: https://jerrygamblin.com/2021/07/23/tracking-cpe-data-quality-issues/
As best I understand, single hyphen '-' means "not applicable" which means... that there is not applicable version for an entry? I believe the short answer is to always use '*' (or '::') as a wildcard, unless there is some specific and correct reason to use '-'.
We should check upstream Microsoft CPE data. I've had at least one discussion with them about using '-'.
@amanion-cisa that is also my understanding of the correct way to use the -. Thanks for looking into it.
Just came across a CVE w/ verion using "-" instead of "*" https://github.com/cisagov/vulnrichment/blob/386eaafcb58e104e148607377e8a9cec0e9de26c/2023/51xxx/CVE-2023-51365.json#L5
In general, we should have fixed all the errant dashes-instead-of-stars, but there are a few (like the one @patrickmgarrity pointed out) that are actually in the NVD dictionary, and we're loathe to make edits here that conflict with that upsteam source.
Check it out: https://nvd.nist.gov/products/cpe
If you run across new ones, and they're not in the dictionary, then please open a new issue!