Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deviation of reported vulnerabilities between DT and NVD when no version is specified in CPE #4609

Closed
2 tasks done
KS-DR opened this issue Feb 3, 2025 · 1 comment · Fixed by #4610
Closed
2 tasks done

Deviation of reported vulnerabilities between DT and NVD when no version is specified in CPE #4609

KS-DR opened this issue Feb 3, 2025 · 1 comment · Fixed by #4610
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.12.4

Comments

@KS-DR
Copy link

KS-DR commented Feb 3, 2025
edited
Loading

Current Behavior

DT reports other vulnerabilities for a CPE like cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:* than the NVD search. The attached screenshot shows the deviations.

Image

Steps to Reproduce

1.Creat a component in a project and use CPE cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*
2. Compare the reported vulnerabilities in DT with the NVD results under https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Azlib%3Azlib%3A*%3A*%3A*%3A*%3A*%3A*%3A*%3A*

Expected Behavior

DT should report the same vulnerabilities as the NVD when using NVD as a data source.

Dependency-Track Version

4.12.2

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.7

Browser

Microsoft Edge

Checklist
@KS-DR KS-DR added defect Something isn't working in triage labels Feb 3, 2025
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort and removed in triage labels Feb 3, 2025
@nscuro nscuro added this to the 4.12.4 milestone Feb 3, 2025
@nscuro
Copy link
Member

nscuro commented Feb 3, 2025

Thanks for reporting @KS-DR. I was able to reproduce the issue and we'll ship a fix in the next bugfix release.

@nscuro nscuro mentioned this issue Feb 3, 2025
Merged
2 tasks
@nscuro nscuro closed this as completed in d50af14 Feb 3, 2025
nscuro added a commit to nscuro/dependency-track that referenced this issue Feb 3, 2025
@nscuro
Fix false negatives in CPE matching for ANY and NA versions
0b2da11 
Fixes DependencyTrack#4609

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro mentioned this issue Feb 3, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.12.4
Development

Successfully merging a pull request may close this issue.

Fix false negatives in CPE matching for ANY and NA versions nscuro/dependency-track
2 participants
@nscuro @KS-DR