Skip to content

Inconsistent NVD known affected software in Dtrack #4255

New issue
New issue
Closed
#4339
Closed
Inconsistent NVD known affected software in Dtrack#4255
#4339
Labels
defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort
Milestone
4.12.2
@calderonth

Description

@calderonth
calderonth
opened on Oct 14, 2024

Current Behavior

It seems Dtrack is not properly syncing (or updating) known affected software configurations:

For instance, if we take CVE-2024-23113 and look at the list of known affected versions, we get the following:


cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)7.0.0 | Up to (including)7.0.14
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)7.2.0 | Up to (including)7.2.8
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)7.4.0 | Up to (including)7.4.2
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)7.0.0 | Up to (including)7.0.3
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)7.2.0 | Up to (including)7.2.3
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)7.0.0 | Up to (including)7.0.13
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)7.2.0 | Up to (including)7.2.6
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)7.4.0 | Up to (including)7.4.2
cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)1.0.0 | Up to (including)1.0.3
cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*   Show Matching CPE(s) | From (including)1.1.0 | Up to (including)1.1.2
cpe:2.3:o:fortinet:fortipam:1.2.0:*:*:*:*:*:*:*

Now if we look at this vulnerability in Dtrack, we get the following known affected components list:


cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* (>=7.0.0\|<=7.0.3) | NVD | 11 Oct 2024 at 01:35:25
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* (>=7.2.0\|<=7.2.3) | NVD | 11 Oct 2024 at 01:35:25
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* (>=7.0.0\|<=7.0.14) | NVD | 11 Oct 2024 at 01:35:25
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* (>=7.2.0\|<=7.2.8) | NVD | 11 Oct 2024 at 01:35:25
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* (>=7.4.0\|<=7.4.2)

It is clearly missing entries, so adding a component to a project with a matching CPE would not yield the vulnerability (for example: cpe:2.3:o:fortinet:fortios:7.0.12:*:*:*:*:*:*:*)

Steps to Reproduce

  1. Create a project
  2. Add a component with following CPE: cpe:2.3:o:fortinet:fortios:7.0.12:*:*:*:*:*:*:*
  3. Observe missing vulnerability match

Expected Behavior

I would expect the NVD data synced in Dtrack to correctly reflect known affected software so that CPE matching can reliably be used.

Dependency-Track Version

4.11.x

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Google Chrome

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions