Flag for "and previous"
rmspeers opened this issue · 2 comments
When we look at CVE/CPE entries on other services, such as NIST CPE DB, we see that CPE searches help match with past versions. For example if version 0.50 was vulnerable, as well as anything previously, the CVE may not have all the versions set in the CPE.
In an example, CVE-2016-7409, the JSON data available via the cve-search dump includes:
...
'id': 'CVE-2016-7409',
...
'summary': 'The dbclient and server in Dropbear SSH before 2016.74, when '
'compiled with DEBUG_TRACE, allows local users to read process '
'memory via the -v argument, related to a failed remote ident.',
'vulnerable_configuration': [{'id': 'cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:2016.73',
'title': 'cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:2016.73'}],
'vulnerable_configuration_cpe_2_2': ['cpe:/a:dropbear_ssh_project:dropbear_ssh:2016.73']}
However, checking on https://nvd.nist.gov/vuln/detail/CVE-2016-7409 and clicking "Show Matching CPEs" expands to show the 53 calculated CPEs that are vulnerable to this.
Likewise, their search from CPE to CVEs captures this: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3adropbear_ssh_project%3adropbear_ssh%3a0.50.
Meanwhile, a search on https://cve.circl.lu/api/cvefor/cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:0.50:*:*:*:*:*:*:* only returns a single CVE, which is the one that explicitly lists the CPE in it's vulnerable_configuration field.
The dataset would be significantly more useful if there is a way we can capture the data needed to compute the other CPEs affected, or if you can pre-compute these.
Have also posted to the main repo at cve-search#330
Stale issue message