Hello,
thanks. Unfortunately, I was unable to make it working. When I configure it as you say, it still skips the CVE I mentioned and command “select * from cpeEntry where cpe NOT LIKE 'cpe:/a:%' LIMIT 10;” returns an empty set. IIUC, when I configure it to a nonsense (e.g., “yycpe:”), it should import nothing, but this is also not the case.
In both cases, I run the commandline ODC 1.4.5 tool against MySQL DB. In both cases, I have removed the whole database, because I assume that it would affect only newly added (or maybe updated) issues, not the past ones. I have checked the verbose log that it contains line like this one:
cve.cpe.startswith.filter='yycpe:'
However, when I look at the code, it seems to be pretty straightforward it must work (at least if it is specified with JAVA_OPTS="-Dcve.cpe.startswith.filter=…"), so I am unsure what happens.
Regards,
Vít Šesták 'v6ak'
On Saturday, April 1, 2017 at 2:25:34 PM UTC+2, Jeremy Long wrote:
ATM - this functionality can be changed by supplying a configuration value (-Dcve.cpe.startswith.filter=cpe:)
This isn't documented very well; but isn't something a normal user would ever need.
--Jeremy
We might want to reconsider this. CPE, to my understanding, supports applications, operating systems, and hardware devices. Although Dependency-Check only has analyzers that support applications, it also ships with an agent that anyone can use to supply their own evidence. The agent is used in Dependency-Track as well as other applications. So although Dependency-Check doesn’t support operating system or hardware device analyzers, doesn’t mean that it should be limited to that.
A scenario I’m thinking of may involve an IoT vendor that wants to use Dependency-Track (or similar app) to catalog the operating system, applications, firmware, etc for multiple versions of their devices. When Dependency-Track calls the Dependency-Check agent to supply the evidence of these assets, there should be no reason why Dependency-Check shouldn’t check on those as well.
Thoughts?
By default, only application vulnerabilities are
imported into the database. If you look at the affected software in
the CVE it is all related to "cpe:2.3:o:...". The "o" stands for
operating system. As dependency-check is not designed to scan
operating systems these CVEs are not imported.
--Jeremy
On Fri, Mar 31, 2017 at 9:14 AM, Vít
Šesták
<…@v6ak.com>
wrote:
Hello,
I have realized that vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2016-5195
is not imported from NVD and when inspecting the source code, I
haven't got any idea why this happens. Well, maybe I don't need
this one to be imported, but I'd like to know why this happens,
because it can point to some bug that can affect the overall
accuracy (e.g., multiple vulnerabilities might get skipped).
Regards,
Vít Šesták 'v6ak'
--
You received this message because you are subscribed to the Google
Groups "Dependency Check" group.
--
You received this message because you are subscribed to the Google
Groups "Dependency Check" group.
--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.