CPE_helper

108 views
Skip to first unread message

M G

unread,
Mar 13, 2024, 9:25:36 AMMar 13
to Wazuh | Mailing List
Hello,

I tried to added a 7-zip to  vulnerabilities dictionaries (cpe_helper).
And this confguration doesn't work. Where I done mistake?

        {
            "target": "windows",
            "source": {
                "vendor": [
                "^Igor Pavlov"
                ],
                "product": [
                "^7-Zip"
                ],
                "version": []
            },
            "translation": {
                "vendor": [
                "7-zip"
                ],
                "product": [
                "7-zip"
                ],
                "version": []
            },
            "action": [
            "replace_vendor",
            "replace_product"
            ]
        }

Wazuh inventory:
7zip.jpg
and on NVD
nvd.jpg

Federico Gustavo Caffieri

unread,
Mar 13, 2024, 4:02:29 PMMar 13
to Wazuh | Mailing List
Hello M G, thank you for your patience.

The current problem with Vulnerability Detector for Windows is that it is limited to the existing translations in the CPE Helper, because the packages installed on Windows are not standardized like on Linux, and this means that we cannot easily obtain their CPE based on vendor and package name information.

Therefore, it currently detects vulnerabilities in packages listed in the following dictionary:

You can modify the CPE Helper manually to add new package translations to detect vulnerabilities in those new entries. Below is a step-by-step guide to adding new translations:
> Note that when you upgrade the manager, the CPE Helper will be overwritten, so I recommend that you keep a copy of the cpe_helper.json that you modify, so that you can replace it when you upgrade the manager.


We are already working on a Vulnerability Detector refactor, where we will normalize these translations so that they don't need to be added manually, and these package vulnerabilities will be detected correctly:

Please check the links, examples, documentation and guides, they should be helpful. In any case, do not hesitate to contact us again to try to help you. I hope to be helpful.

M G

unread,
Mar 15, 2024, 9:51:57 AMMar 15
to Wazuh | Mailing List
Hello Federico
I hope everything is fine with you

I found a solution of the problem.
Quite obvious, but this information is very missing in the documentation (cpe-helper - Maybe you can add?).
The <update_date> field must be updated in the cpe_helper file. Without editing this field, cve.db will not update. 
date.jpg
Now
sqlite3 cve.db
select * from CPE_HELPER_SOURCE;

1|0|vendor|^Martin Prikryl
1|0|product|^WinSCP


(you can also delete cve.db and download it again, but why?)

The second thing.
when reading the cve.db database (as above). Information about applications is in the reverse order compared to the cpe_helper file. I don't know if it's important, but I'd rather write an observation

sort.jpg

regards
Mateusz

Federico Gustavo Caffieri

unread,
Mar 18, 2024, 4:28:53 PMMar 18
to Wazuh | Mailing List
Hello Mateusz,
I'm glad to hear that you managed to solve your problem.
We will analyze the case of the documentation with the team, and if necessary it will be updated. Thank you very much for your contribution.

German DiCasas

unread,
Apr 17, 2024, 12:50:36 PMApr 17
to Wazuh | Mailing List
Hi, I have the same situation. If I change the  cpe_helper.json with the correct  <update_date> field,  that will be updated on the future? if not How can fix the problem if that field is not updated with the last NVD-CPE

Regards,

German

Reply all
Reply to author
Forward
0 new messages