amanion-cisa
amanion-cisa
See also: https://jerrygamblin.com/2021/07/23/tracking-cpe-data-quality-issues/
As best I understand, single hyphen '-' means "not applicable" which means... that there is not applicable version for an entry? I believe the short answer is to always use...
Some explanation, which may or may not address the specific instances you noticed (which we will review!). > CPE strings must match NVD, where possible. Yes, and this is how...
Proposed addition to README.md. ### Schemas and validation CWE, CVSS, and CPE enrichment data conforms to the CVE Record Format [schema](https://github.com/CVEProject/cve-schema/). SSVC is implemented as a `metrics` type of `other`...
Appreciate the offer for a PR but it'll probably be more robust to fix this issue earlier in processing and closer to the data source. ~~The case shall be lower,...
Working on these upstream, [CVE-2024-29848](https://cveawg.mitre.org/api/cve/CVE-2024-29849) has been updated, let us know how that looks to you. We won't be able to accept this PR but thanks for pointing out the...
Just dropping an example: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228
CPE usage is, perhaps unclear at best, particularly within current CVE Record Format (see [this issue](https://github.com/CVEProject/quality-workgroup/issues/12)). One approach, as noted by @RamvigneshPasupathy, is to only use `vendor:product` in `cpes` and...
Overall "use of CPE in CVE" issues aside, the current CPE procedure is: 1. Only use `vendor:product` in the `cpes` list (except see #3 below) 2. Express version ranges in...
An option is to document the behavior (in the README), at least until a more lasting solution or decision is in place.