You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems Dtrack is not properly syncing (or updating) known affected software configurations:
For instance, if we take CVE-2024-23113 and look at the list of known affected versions, we get the following:
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)7.0.0 | Up to (including)7.0.14
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)7.2.0 | Up to (including)7.2.8
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)7.4.0 | Up to (including)7.4.2
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)7.0.0 | Up to (including)7.0.3
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)7.2.0 | Up to (including)7.2.3
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)7.0.0 | Up to (including)7.0.13
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)7.2.0 | Up to (including)7.2.6
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)7.4.0 | Up to (including)7.4.2
cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)1.0.0 | Up to (including)1.0.3
cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:* Show Matching CPE(s) | From (including)1.1.0 | Up to (including)1.1.2
cpe:2.3:o:fortinet:fortipam:1.2.0:*:*:*:*:*:*:*
Now if we look at this vulnerability in Dtrack, we get the following known affected components list:
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* (>=7.0.0\|<=7.0.3) | NVD | 11 Oct 2024 at 01:35:25
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:* (>=7.2.0\|<=7.2.3) | NVD | 11 Oct 2024 at 01:35:25
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* (>=7.0.0\|<=7.0.14) | NVD | 11 Oct 2024 at 01:35:25
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* (>=7.2.0\|<=7.2.8) | NVD | 11 Oct 2024 at 01:35:25
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* (>=7.4.0\|<=7.4.2)
It is clearly missing entries, so adding a component to a project with a matching CPE would not yield the vulnerability (for example: cpe:2.3:o:fortinet:fortios:7.0.12:*:*:*:*:*:*:*)
Steps to Reproduce
Create a project
Add a component with following CPE: cpe:2.3:o:fortinet:fortios:7.0.12:*:*:*:*:*:*:*
Observe missing vulnerability match
Expected Behavior
I would expect the NVD data synced in Dtrack to correctly reflect known affected software so that CPE matching can reliably be used.
Current Behavior
It seems Dtrack is not properly syncing (or updating) known affected software configurations:
For instance, if we take CVE-2024-23113 and look at the list of known affected versions, we get the following:
Now if we look at this vulnerability in Dtrack, we get the following known affected components list:
It is clearly missing entries, so adding a component to a project with a matching CPE would not yield the vulnerability (for example:
cpe:2.3:o:fortinet:fortios:7.0.12:*:*:*:*:*:*:*)Steps to Reproduce
cpe:2.3:o:fortinet:fortios:7.0.12:*:*:*:*:*:*:*Expected Behavior
I would expect the NVD data synced in Dtrack to correctly reflect known affected software so that CPE matching can reliably be used.
Dependency-Track Version
4.11.x
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
No response
Browser
Google Chrome
Checklist
The text was updated successfully, but these errors were encountered: