fix: ignore non-vulnerable CPEs from NVD CVEs #3245
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #3136 (at least partially: it excludes the "longer term potential feature" part)
As described in above issue, NVD source provides a list of affected CPE for a given CVE. This list may include non-vulnerable products such as OSes an affected product runs on, e.g. application v3.4 is vulnerable when it runs on Windows. The latter, although being mentioned in a CPE for this CVE, is not vulnerable with regard to that CVE.
Whether a CPE is vulnerable or not is provided in a
vulnerable
attribute that can be used during data ingestion. See Responseconfiguration
JSON sample. This PR ignores non-vulnerable CPEs when building/refreshing the CVE DBLimitations
vulnerable
will be used, but it won't remove existing entries about non-vulnerable products (ingested from actual cve-bin-tool version). There is no way to figure it out from the current DB.Note: I could not find unit tests related to NVD source parsing to build upon. I'll welcome suggestions, if any, regarding warranted tests for this PR.