CPE_helper

[M G]

Hello,

I tried to added a 7-zip to  vulnerabilities dictionaries (cpe_helper).

And this confguration doesn't work. Where I done mistake?

        {
            "target": "windows",
            "source": {
                "vendor": [
                "^Igor Pavlov"
                ],
                "product": [
                "^7-Zip"
                ],
                "version": []
            },
            "translation": {
                "vendor": [
                "7-zip"
                ],
                "product": [
                "7-zip"
                ],
                "version": []
            },
            "action": [
            "replace_vendor",
            "replace_product"
            ]
        }

Wazuh inventory:

and on NVD

[Federico Gustavo Caffieri]

Hello M G, thank you for your patience.

The current problem with Vulnerability Detector for Windows is that it is limited to the existing translations in the CPE Helper, because the packages installed on Windows are not standardized like on Linux, and this means that we cannot easily obtain their CPE based on vendor and package name information.

Therefore, it currently detects vulnerabilities in packages listed in the following dictionary:

• CPE Helper dictionary: https://github.com/wazuh/wazuh/blob/master/src/wazuh_modules/vulnerability_detector/cpe_helper.json

You can modify the CPE Helper manually to add new package translations to detect vulnerabilities in those new entries. Below is a step-by-step guide to adding new translations:

• Guide to adding the translation to CPE Helper: https://www.reddit.com/r/Wazuh/comments/16gmb4s/comment/k0evhmz/?utm_source=share&utm_medium=web2x&context=3

> Note that when you upgrade the manager, the CPE Helper will be overwritten, so I recommend that you keep a copy of the cpe_helper.json that you modify, so that you can replace it when you upgrade the manager.

We are already working on a Vulnerability Detector refactor, where we will normalize these translations so that they don't need to be added manually, and these package vulnerabilities will be detected correctly:

• Vulnerability Detector refactor#14153

Please check the links, examples, documentation and guides, they should be helpful. In any case, do not hesitate to contact us again to try to help you. I hope to be helpful.

[M G]

Hello Federico
I hope everything is fine with you

I found a solution of the problem.
Quite obvious, but this information is very missing in the documentation (cpe-helper - Maybe you can add?).
The <update_date> field must be updated in the cpe_helper file. Without editing this field, cve.db will not update. 

Now

sqlite3 cve.db
select * from CPE_HELPER_SOURCE;

1|0|vendor|^Martin Prikryl
1|0|product|^WinSCP

(you can also delete cve.db and download it again, but why?)

The second thing.
when reading the cve.db database (as above). Information about applications is in the reverse order compared to the cpe_helper file. I don't know if it's important, but I'd rather write an observation

regards

Mateusz

[Federico Gustavo Caffieri]

Hello Mateusz,
I'm glad to hear that you managed to solve your problem.
We will analyze the case of the documentation with the team, and if necessary it will be updated. Thank you very much for your contribution.

[German DiCasas]

Hi, I have the same situation. If I change the  cpe_helper.json with the correct  <update_date> field,  that will be updated on the future? if not How can fix the problem if that field is not updated with the last NVD-CPE. 

Regards,

German