On 8 Aug 2024, at 07:33, Peter Marko via lists.openembedded.org
<[email protected]> wrote:
>
> There is also gnu:zlib in CVE reports for zlib...
>
> sqlite3 nvdcve_2-1.db
> sqlite> select vendor, count(*) from products where product='zlib' group by
> vendor;
> cloudflare|1
> gnu|1
> zlib|13
> sqlite> select * from products where product='zlib' and vendor = 'gnu';
> CVE-2016-9842|gnu|zlib|1.2.3.4|>=|1.2.9|<
Which is obviously wrong, as there isn’t a GNU zlib. The references point to
the same git tree, so this is a mistake in the CPE data. The CPE database
acknowledges this by deprecating the gnu:zlib name and pointing at zlib:zlib:
<cpe-item name="cpe:/a:gnu:zlib:-" deprecated="true"
deprecation_date="2022-06-22T16:40:44.440Z">
<title xml:lang="en-US">GNU zlib</title>
<cpe-23:cpe23-item name="cpe:2.3:a:gnu:zlib:-:*:*:*:*:*:*:*">
<cpe-23:deprecation date="2022-06-22T12:40:44.440-04:00">
<cpe-23:deprecated-by name="cpe:2.3:a:zlib:zlib:-:*:*:*:*:*:*:*"
type="NAME_CORRECTION"/>
</cpe-23:deprecation>
</cpe-23:cpe23-item>
</cpe-item>
We _could_ canonicalise the CPEs when we load the CVEs but that’s another 500MB
file to fetch, so I’m unconvinced that’s worthwhile.
I was actually going to mail NIST about any attempt at rationalising the CPE
data for historical CVEs, I’ll use this as a test case to see if they’re
willing to retroactively fix the name in historical CVEs.
Ross
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203135):
https://lists.openembedded.org/g/openembedded-core/message/203135
Mute This Topic: https://lists.openembedded.org/mt/107783415/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
