[1.4.4] Mysterious effect when matching by CPE

[Vít Šesták]

There are two Tomcat vulnerabilities in NVD that don't have a specific version, i.e. CVE-2016-5425 and CVE-2016-6325. As a result, they need to be – sooner or later – suppressed. According to https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5425 and https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6325 , they both use a slightly different CPE for Tomcat. The first uses “cpe:/a:apache:tomcat” (no version specified at all), while the second uses “cpe:/a:apache:tomcat:-” (version is “-”).

When I try to suppress the latter (i.e., CVE-2016-6325), it suppresses matching the identifier, so both vulnerabilities disappear:

    <suppress>
        <cpe>cpe:/a:apache:tomcat</cpe>
        <cve>CVE-2016-6325</cve>
    </suppress>

Of course, I want to suppress both, but I don't want to do this way :)

When I use <cpe>cpe:/a:apache:tomcat:-</cpe> instead, it works as expected.

Is this a bug, or a rough edge?

Regards,
Vít Šesták 'v6ak'

[Jeremy Long]

Sorry for the late reply to this. The following should suppress both:

   <suppress>
        <cpe>cpe:/a:apache:tomcat</cpe>

        <cve>CVE-2016-5425</cve>

        <cve>CVE-2016-6325</cve>
    </suppress>

Is there a reason you dislike this approach?

--Jeremy

[Vít Šesták]

Hello,
my main point is not whether it is separated to two suppression rules or in one single rule. My main point is about unexpected behavior: Why does the rule I posted suppress both? I assume it suppresses all vulnerabilities for Tomcat, which is not what I want.
Regards,
Vít Šesták 'v6ak'

[Jeremy Long]

The CPE matching is a "starts with" match.  Which is why the rule without the "-" suppresses both vs. the one with the "-" only suppresses the one.

--Jeremy