OSS vs NVD #1383
-
|
Hi, We noticed some discrepancies in the reported vulnerabilities and investigated: All of them seem to be related to differences between the OSS index and NVD, also some issues tracked here at github seem to be related to that topic (1167, 1198). Latest example we experienced is probably https://nvd.nist.gov/vuln/detail/CVE-2022-23181, which is not present in the OSS index: This is being reported via dependency-check (via NVD), but not dependency-track. The issue threads about this topic usually end with "please open a issue with the oss index project", but I was wondering: Would you be willing to give us the opportunity to have the NVD data be "the leading data source", so to speak? I understood that currently the OSS index is the base for analysis, and without the OSS index configured dependency-track does not work (and there is probably a big and central part of code responsible for that). Could that be changed? Kind regards, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
The NVD continues to only support CPE for software identifiers, even though the majority of software cannot be described with CPE, nor can CPE be automatically generated or known in advance. If an SBOM has CPEs for components, then the internal analyzer supporting the NVD will be able to pick it up. However, most SBOMs generated at build-time, will not contain CPEs, they will contain Package URLs (purl). Refer to https://cyclonedx.org/use-cases/#known-vulnerabilities Dependency-Check is able to find these vulnerabilities because it uses fuzzy matching and in most cases will generate many false positives. See also https://docs.dependencytrack.org/odt-odc-comparison/ |
Beta Was this translation helpful? Give feedback.
-
|
Also note that old versions of Dependency-Track did embed Dependency-Check which provided fuzzy matching capabilities. The issue was that for large DT installations (1000+ projects), the number of false positives that would have to be triaged was unsustainable. So we removed that capability from DT. Also note that DT will be adding additional sources of vulnerability intelligence. Support for GitHub Advisories will be included in v4.4 and support for Snyk, Nexus IQ, and others are on the roadmap. |
Beta Was this translation helpful? Give feedback.
-
|
Many thanks for the swift reply. |
Beta Was this translation helpful? Give feedback.
The NVD continues to only support CPE for software identifiers, even though the majority of software cannot be described with CPE, nor can CPE be automatically generated or known in advance.
If an SBOM has CPEs for components, then the internal analyzer supporting the NVD will be able to pick it up. However, most SBOMs generated at build-time, will not contain CPEs, they will contain Package URLs (purl).
Refer to https://cyclonedx.org/use-cases/#known-vulnerabilities
Dependency-Check is able to find these vulnerabilities because it uses fuzzy matching and in most cases will generate many false positives.
See also https://docs.dependencytrack.org/odt-odc-comparison/