Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 906795 - net-misc/curl: incorrect CPEs listed in metadata.xml
Summary: net-misc/curl: incorrect CPEs listed in metadata.xml
Status: UNCONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Misc (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-05-19 22:02 UTC by Michael Kochera
Modified: 2023-05-20 11:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Kochera 2023-05-19 22:02:16 UTC 
There are two CPE's that aren't actually known by NIST so don't connect to any CVE's. It has been seen that some scanners only scan the first CPE, though this is incorrect, it is leading to a large miss in CVE's because of those incorrect CPE's. Removing these CPE's will help improve this while also ensuring the metadata is fully accurate.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-20 05:51:23 UTC 
No need to reply here but just for completeness, I mentioned at https://github.com/gentoo/gentoo/pull/31078#discussion_r1199554985 that I'm a bit concerned:
"""
I'm a bit worried about this because Daniel is actively trying to move away from the haxxe name for curl purposes and scanners (as you noted in your bug) should really go for any-of.
"""