Amazon Corretto 8 CPE names are not being reported for Subversions.
Closed this issue · 4 comments
Hi,
We are having a issue with our vulnerability tracker which is currently using cpe format. It is not able to check with NIST database for sub-version vulnerability found for example on previous version 8.342.07.4. We found out about the release and CVE's found from a customer scanning tool.
Why is the amazon corretto cpe names does not include sub-versions and not being tracked by NIST cve database?
Hi,
We don't actively report corretto CPEs to the NIST database, as Corretto fixes the CVEs in the same releases as the openjdk project that has its own CPEs. For example, for OpenJDK8 would be those under cpe:2.3:a:oracle:openjdk:8:...
I can't tell you exactly how cpe:2.3:a:amazon:corretto:8:*:*:*:*:*:*:* and cpe:2.3:a:amazon:corretto:11:*:*:*:*:*:*:* were added to the CPE dictionary, it seems it happened on March 30th, 2022. This explains why only CPEs for 8 and 11 are present, but not for newer versions like 17. You can also see no CVE associated with the 8 or 11 CPEs.
If we start publishing information linking CVEs to specific Corretto versions in the NIST database instead of relying on openjdk ones, we will take your feedback into consideration when choosing the proper CPE names
Thanks for your prompt response. Is there any subscription feed where I can receive new release notification? Any sugestions?
hi, @linares-c-eng
I am not sure this is useful in your environment. We consume ALAS. All Correto packages are tracked in this security bulletins, eg. java-1.8.0-amazon-corretto .
Thanks. Will check that out. A this moment I will try a workaround for detecting new releases. The software we are using depends on CPE names only, which is currently a limitation. Thanks team.