German,
To be clear, CPE does not store vulnerabilitiies in it. Taken from NIST's website:
"Common Platform Enumeration (CPE) is a standardized method of
describing and identifying classes of applications, operating systems,
and hardware devices present among an enterprise's computing assets. CPE
does not identify unique instantiations of products on systems, such as
the installation of XYZ Visualizer Enterprise Suite 4.2.3 with serial
number Q472B987P113. Rather, CPE identifies abstract classes of
products, such as XYZ Visualizer Enterprise Suite 4.2.3, XYZ Visualizer
Enterprise Suite (all versions), or XYZ Visualizer (all variations)."
cpe_helper.json helps
translate applications and OSes into common, agreed upon naming schemes to later be used when querying for vulnerabilities from different vendors and CVE providers. It is a way to catalog the applications in your agents. Vulnerabilities are a different matter altogether. The vulnerability detector module
does update automatically with the feeds from different vendors and providers:
vulnerability detection.
That's why, even if CPE helper is outdated, some of the translations still hold up and an application catalog can be formed, and later, the VD module can get vulnerabilities for such applications and operating systems.
Lastly, regarding this:
> To be clearer about the temporary solution you propose, until version
4.8 is released, "update_date" must be modified with the correct date
from https://nvd.nist.gov/products/cpe
(today 04/20/2024 ; 12:39:20 a.m. -0400) and that way the wazuh CVE
list will be updated with the last NVD? That modification will allow
wazuh to detect new CVEs, yes?
No. The cpe_helper.json's "update_date" field must be changed to the date you made the modifications to the file. For example, if done today, it would be "2024-04-22THH:MMZ".
Warm regards.