906795 – net-misc/curl: incorrect CPEs listed in metadata.xml

Bug 906795 - net-misc/curl: incorrect CPEs listed in metadata.xml

Summary: net-misc/curl: incorrect CPEs listed in metadata.xml

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Misc (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2023-05-19 22:02 UTC by Michael Kochera
Modified:	2023-05-20 11:07 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/31078
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Kochera 2023-05-19 22:02:16 UTC

There are two CPE's that aren't actually known by NIST so don't connect to any CVE's. It has been seen that some scanners only scan the first CPE, though this is incorrect, it is leading to a large miss in CVE's because of those incorrect CPE's. Removing these CPE's will help improve this while also ensuring the metadata is fully accurate.

Comment 1 Sam James archtester

2023-05-20 05:51:23 UTC

No need to reply here but just for completeness, I mentioned at https://github.com/gentoo/gentoo/pull/31078#discussion_r1199554985 that I'm a bit concerned:
"""
I'm a bit worried about this because Daniel is actively trying to move away from the haxxe name for curl purposes and scanners (as you noted in your bug) should really go for any-of.
"""