CPE Version match #5870
Replies: 1 comment 1 reply
-
|
Yeah that looks like a data quality issue in the NVD, and they should've used
It is currently not possible to add or remove affected version ranges from vulnerabilities. But you could create an internal vulnerability instead: https://docs.dependencytrack.org/datasources/private-vuln-repo/#affected-components |
Beta Was this translation helpful? Give feedback.
-
|
The problem with this approach is that I would have to check every cpe by hand ever so often to make sure no dash is used in any CPE to prevent not knowing about a CVE. I also cant add a second CPE to a component. Would it be possible to add a second CPE as tag/property? If so I could just add the one with the version and the one with a dash but as far as I know, dependency-track will only take the one in the "cpe" filed into account. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I have cpe:2.3:a:st:stm32cubef7:1.2.3:::::::* in my SBOM and I know that CVE-2020-20949 affects this component. The problem is the CPE inside the CVE is cpe:2.3:a:st:stm32cubef7:-:::::::*(no version but a dash) so dependency-track wont match the CVE to my component. If I enter an asterisk it would match, but I dont want to get CVEs for all versions and I dont want to check every component we include by hand.
Is there someone who faced a similar issue here who could maybe help me out?
Would it be possible to add an option to dependency-track to match a dash with every version?
Thanks in advance.
Beta Was this translation helpful? Give feedback.
All reactions