Issue 529 in webp: Incorrect CPE for 11 CVEs?
170 views
Skip to first unread message
jz… via monorail
Jun 29, 2021, 8:15:59 PM6/29/21
to webp-d...@webmproject.org
Updates:
Labels: -Restrict-View-Security
Comment #3 on issue 529 by jz...@google.com: Incorrect CPE for 11 CVEs?
https://bugs.chromium.org/p/webp/issues/detail?id=529#c3
Removing the restrict-view label since this is in reference to public CVEs.
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Labels: -Restrict-View-Security
Comment #3 on issue 529 by jz...@google.com: Incorrect CPE for 11 CVEs?
https://bugs.chromium.org/p/webp/issues/detail?id=529#c3
Removing the restrict-view label since this is in reference to public CVEs.
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
rschi… via monorail
Jun 30, 2021, 2:56:08 AM6/30/21
to webp-d...@webmproject.org
Comment #4 on issue 529 by rschi...@redhat.com: Incorrect CPE for 11 CVEs?
https://bugs.chromium.org/p/webp/issues/detail?id=529#c4
I'm no CPE expert, but I see many other CVEs just have a CPE which matches all versions plus a "description" that can say From/Up to. Anyway, I'm going to check with other team mates, thanks for notifying me!
jz… via monorail
May 26, 2022, 10:00:32 PM5/26/22
to webp-d...@webmproject.org
Comment #5 on issue 529 by jz...@google.com: Incorrect CPE for 11 CVEs?
https://bugs.chromium.org/p/webp/issues/detail?id=529#c5
Any update on this one?
rschi… via monorail
May 27, 2022, 9:29:14 AM5/27/22
to webp-d...@webmproject.org
Comment #6 on issue 529 by rschi...@redhat.com: Incorrect CPE for 11 CVEs?
https://bugs.chromium.org/p/webp/issues/detail?id=529#c6
I don't have any update on this to be honest, but as said above it seems pretty common to have such CPE with a description, so either those tools you are referencing are reporting a lot of false positives for many projects or they are using some other info and the problem comes from there and not from the CPE. For example, https://nvd.nist.gov/vuln/detail/CVE-2022-23308 https://nvd.nist.gov/vuln/detail/CVE-2021-3596 and many others have the same kind of CPE+description.
jz… via monorail
May 27, 2022, 10:01:41 PM5/27/22
to webp-d...@webmproject.org
Comment #7 on issue 529 by jz...@google.com: Incorrect CPE for 11 CVEs?
https://bugs.chromium.org/p/webp/issues/detail?id=529#c7
Thanks for the update. I'll take a closer look at these and if the change seems correct I'll file a pull request on https://github.com/CVEProject/cvelist. This was suggested by Google's security team.
jz… via monorail
Dec 16, 2022, 4:37:11 PM12/16/22
to webp-d...@webmproject.org
Comment #8 on issue 529 by jz...@google.com: Incorrect CPE for 11 CVEs?
https://bugs.chromium.org/p/webp/issues/detail?id=529#c8
Looking at this a little more closely, I agree there are many examples like these, so it may be a limitation in the tools.
I did see a few in this range with extended version information [1][2][3][4]. These seem to be what was expected by the reporter.
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-36320
[2] https://github.com/CVEProject/cvelist/blob/master/2020/36xxx/CVE-2020-36320.json
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-36321
[4] https://github.com/CVEProject/cvelist/blob/master/2020/36xxx/CVE-2020-36321.json
Reply all
Reply to author
Forward
0 new messages