Wrong vulnerabilities reports when logical value NA used in CPE Version

[florentulve]

Hi,

I'm facing a issue with the version matching of component and vulnerabilites when CPE and Logical value NA ('-') are involed.

Current Behavior:

A project with a httpd server component identified by the CPE cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:* leads to be
vulnerable to the CVE 2007-6420.

The CVE 2007-6420 has the following cpe_match :

    "configurations" : {
      "CVE_data_version" : "4.0",
      "nodes" : [ {
        "operator" : "OR",
        "children" : [ ],
        "cpe_match" : [ {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        }, {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        }, {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        }, {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        }, {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        }, {
          "vulnerable" : true,
          "cpe23Uri" : "cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*",
          "cpe_name" : [ ]
        } ]
      } ]
    },

Expected Behavior:

I think the vuln should'nt be reported.

The NVD search doesn't report the vuln: NVD Search

Moreover, according to the "Name Matching Specification Version 2.3" I dont't think the actual implementation in AbstractVulnerableSoftwareAnalysisTask.compareVersions is correct as I understand the table 6-2 fron chap "6.1 from Attribute Comparison Relations" at https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf

Steps to Reproduce:

I reproduce the issue with a the test case below:

        var project = new Project();
        project.setName("acme-app");
        project = qm.createProject(project, List.of(), false);
        var component = new Component();
        component.setProject(project);
        component.setName("Apache httpd");
        component.setVersion("2.4.53");
        component.setCpe("cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*");
        component = qm.createComponent(component, false);

        var vs1 = new VulnerableSoftware();
        vs1.setCpe23("cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*");
        vs1.setPart("a");
        vs1.setVendor("apache");
        vs1.setProduct("http_server");
        vs1.setVersion("-");
        vs1.setVulnerable(true);
        var vs = qm.persist(vs1);

        var vulnerability = new Vulnerability();
        vulnerability.setVulnId("CVE-2007-6420");
        vulnerability.setSource(Vulnerability.Source.NVD);
        vulnerability.setVulnerableSoftware(List.of(vs));
        qm.createVulnerability(vulnerability, false);

        new InternalAnalysisTask().analyze(List.of(component));

        final PaginatedResult vulnerabilities = qm.getVulnerabilities(component);
        assertThat(vulnerabilities.getTotal()).isEqualTo(1);
        assertThat(vulnerabilities.getList(Vulnerability.class).get(0).getVulnId()).isEqualTo("CVE-2007-6420");

Expected

        final PaginatedResult vulnerabilities = qm.getVulnerabilities(component);
        assertThat(vulnerabilities.getTotal()).isEqualTo(0);

[Serraniel]

We have the same issue with the Appache HTTP server and also older OpenSSL entires.

Additionally, after suppressing those false postivies and Uploading a new SBOM file, with an updated version number (e.g changing 2.4.54 to 2.4.55) the old entries, which have been suppressed before, appear again.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.