#1775: validate and update CPE vendor and product for all tools#1796
#1775: validate and update CPE vendor and product for all tools#1796MarvMa wants to merge 14 commits intodevonfw:mainfrom
Conversation
…evonfw#1787-yarn-version-broken
… non existent cpes
MarvMa
changed the title
MarvMa
added
security
Added a new entry for the 2026.04.002 release with features and bugfixes.
Coverage Report for CI Build 24121121212Coverage increased (+0.04%) to 70.506%Details
Uncovered ChangesNo uncovered changes found. Coverage Regressions55 previously-covered lines in 12 files lost coverage.
Coverage Stats
💛 - Coveralls |
…evonfw#1775-validate-cve-reportings # Conflicts: # CHANGELOG.adoc
…/github.com/MarvMa/IDEasy into bugfix/devonfw#1775-validate-cve-reportings
|
Wrongly committed changes have been removed from this PR. |
hohwille
left a comment
hohwille
left a comment
There was a problem hiding this comment.
@MarvMa thank you for your PR. Great that you helped to improve this advanced topic.
CVE metadata is still complex and partially messy so not easy to figure out and get everything right. I also did not have it easy to do a review of your PR.
To summarize: Great job and good step forward 👍
I still cannot say that we got everything right now. However lets complete and merge and then create individual tickets for future fixes and improvements.
Have a look at my review comments, please.
| @Override | ||
| public String getCpeVendor() { | ||
| return "astral-sh"; | ||
| return "astral"; |
There was a problem hiding this comment.
IMHO this change is incorrect.
See e.g. https://cveawg.mitre.org/api/cve/CVE-2025-54368
There was a problem hiding this comment.
I used the NVD CPE search as a single source of truth. Maybe the assumption that the search is correct might have been wrong. Here are the search results. Maybe this is not the correct tool?
There was a problem hiding this comment.
My suggestion is that we refactor the approach and allow more flexibility instead of providing exactly one value for CPE vendor and product.
I see two aspects:
- The search criteria for CPE to find potential CVEs (should be specific but must not be exact, we could e.g. also search for anything starting with
astral) - Filter matching CVEs if their CPE does match. Here we could also support a Set of Strings that are accepted or we just provide a method with the CPE as argument returning a boolean that tells if we accept this as a match or not (at least for the generic API in
AbstractUrlUpdater).
To make it still simple to implement an individual URL updater, we could provide a simple API where we can add vendors and products as either exact match or as infix. Example how this could look like in the future:
protected void initCpe(CpeRegistry cpe) {
cpe.addVendor("astral");
cpe.addVendor("astral-sh");
cpe.addProduct("uv");
}
If no vendor or product was added the initialization of the URL updater will fail.
| @Override | ||
| public String getCpeProduct() { | ||
| return "vscode"; | ||
| return "visual_studio_code"; |
There was a problem hiding this comment.
Seems fully correct.
However, just to open some discussion...
Looking at an example:
https://cveawg.mitre.org/api/cve/CVE-2025-64660
I see this:
"vendor":"Microsoft","product":"Visual Studio Code"
But also this:
"criteria":"cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*"
After digging in this CVE jungle I get the impression that the original methods getCpeProduct() and getCpeVendor() where actually planned for the properties vendor and product but later the implementation was actually based on CPE criteria property.
To make it even more complex, there are CVEs that only have vendor and product but no CPE criteria property.
There was a problem hiding this comment.
Exactly! that is very confusing. Sometimes CVEs exists for certain tools, but theres no CPE for that specific Tool. Also some CPEs are not unique and it is not as simple to find out which criteria matches the product. I validated the CPEs against the manual search of the NVD Website using the vendor and product as keywords to find the matching criteriaproperty. It seems like that this approach still misses CVEs.
I guess we should discuss if it would make sense to rethink the CVE Logic to include CVEs mapped with the criteria field and additionally CVEs just containing vendor and `product.
| @Override | ||
| public String getCpeVendor() { | ||
| return "jenkinsci"; | ||
| return "jenkins"; |
There was a problem hiding this comment.
Also no CPE in CVEs like https://cveawg.mitre.org/api/cve/CVE-2026-33001
There was a problem hiding this comment.
I found this one. Isn't this the correct one?
https://nvd.nist.gov/products/cpe/detail/91BF01B3-BE76-4BDA-A42B-6DDA5BB9036E?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Ajenkins%3Ajenkins&status=FINAL
| @Override | ||
| public String getCpeProduct() { | ||
|
|
||
| return "jdk"; |
There was a problem hiding this comment.
Still not convinced about this one. See e.g.
https://cveawg.mitre.org/api/cve/CVE-2025-21587
"criteria": "cpe:2.3:a:oracle:java_se:17.0.14:*:*:*:*:*:*:*"
There was a problem hiding this comment.
So IMHO here we have two products: jdk and java_se.
Please have a look and see if you can agree with my observation or not.
If we agree, we maybe create a new issue for that (Support multiple values for CPE product), merge this PR and plan a new PR to fix the new issue.
There was a problem hiding this comment.
I agree, there is a few cases where two CPEs exist. For now i just chose one of them, but we should definitely consider adding an option to add more than one CPE 0..N for both CPE vendor and product.
url-updater/src/main/java/com/devonfw/tools/ide/url/tool/java/JavaUrlUpdater.java
Outdated
Show resolved
Hide resolved
remove unused Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>
…evonfw#1775-validate-cve-reportings
3 participants
This PR fixes #1775
Implemented changes:
collect-cpe-report.sh
Checklist for this PR
Make sure everything is checked before merging this PR. For further info please also see
our DoD.
mvn clean testlocally all tests pass and build is successful#«issue-id»: «brief summary»(e.g.#921: fixed setup.bat). If no issue ID exists, title only.In Progressand assigned to you or there is no issue (might happen for very small PRs)with
internal