You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm facing a issue with the version matching of component and vulnerabilites when CPE and Logical value NA ('-') are involed.
Current Behavior:
A project with a httpd server component identified by the CPE cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:* leads to be
vulnerable to the CVE 2007-6420.
The NVD search doesn't report the vuln: NVD Search
Moreover, according to the "Name Matching Specification Version 2.3" I dont't think the actual implementation in AbstractVulnerableSoftwareAnalysisTask.compareVersions is correct as I understand the table 6-2 fron chap "6.1 from Attribute Comparison Relations" at https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf
florentulve
changed the title
Wrong vulnerabilities reports when logical value NA used
Wrong vulnerabilities reports when logical value NA used in CPE Version
Sep 2, 2022
We have the same issue with the Appache HTTP server and also older OpenSSL entires.
Additionally, after suppressing those false postivies and Uploading a new SBOM file, with an updated version number (e.g changing 2.4.54 to 2.4.55) the old entries, which have been suppressed before, appear again.
Hi,
I'm facing a issue with the version matching of component and vulnerabilites when CPE and Logical value NA ('-') are involed.
Current Behavior:
A project with a httpd server component identified by the CPE
cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*
leads to bevulnerable to the CVE 2007-6420.
The CVE 2007-6420 has the following cpe_match :
Expected Behavior:
I think the vuln should'nt be reported.
The NVD search doesn't report the vuln: NVD Search
Moreover, according to the "Name Matching Specification Version 2.3" I dont't think the actual implementation in AbstractVulnerableSoftwareAnalysisTask.compareVersions is correct as I understand the table 6-2 fron chap "6.1 from Attribute Comparison Relations" at https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf
Steps to Reproduce:
I reproduce the issue with a the test case below:
Expected
The text was updated successfully, but these errors were encountered: