-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Django package CPE is not correct #1298
Comments
Thanks @AndrewR777 -- we are currently investigating some ways to improve CPE generation. This is a hard problem because CPEs are not especially consistent from NVD and often don't actually match information we've found. We'll keep you posted as this improves. |
@anchore/tools we may be able to solve this by adding the appropriate entry to https://github.com/anchore/syft/blob/v0.79.0/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go |
What happened:
Running the command:
syft --scope all-layers arenadata/adcm:latest -o cyclonedx-xml
the CPE of the Django packages is generated like this:
<cpe>cpe:2.3:a:django_software_foundation:python-Django:3.2.15:*:*:*:*:*:*:*</cpe>
In this way software like Dependency Track are not able to detect the vulnerability in NVD, based on the CPE. For example this vulnerability is not detected.
What you expected to happen:
The CPE of the Django package is generated like this
<cpe>cpe:2.3:a:djangoproject:django:3.2.15:*:*:*:*:*:*:*</cpe>
When the SBOM file will be imported into Dependency Track the vulnerability will be detected.
How to reproduce it:
Simply run the command
syft --scope all-layers arenadata/adcm:latest -o cyclonedx-xml
and check the value of generated CPE.
Environment:
syft 0.59.0
=================
And another related question: is there an internal file in syft, which I could edit to fix issues like this by myself?
The text was updated successfully, but these errors were encountered: