In many instances, as soon as a high-risk safety vulnerability has been recognized in a product, an even bigger problem emerges: tips on how to establish the affected element or product by its assigned title within the National Vulnerability Database (NVD). That’s as a result of software program merchandise are recognized within the NVD with a widespread platform enumeration (CPE) title, that are assigned by the National Institute of Standards and Technology (NIST), a part of the US Department of Commerce.
The NVD makes use of a CPE to establish {hardware} and software program elements primarily based on vendor, product, and model string. When software program customers wish to decide, by way of the NVD, whether or not a element of a product they’re utilizing has any related vulnerabilities, they have to know the exact assigned CPE title of the element. However, it’s usually unattainable to discover a CPE for a specific element, whether or not they’re open supply or proprietary.
In most instances, this downside makes it unattainable to reliably automate lots of the processes required for software program safety, corresponding to producing a software program invoice of supplies (SBOM).
Why Finding Vulnerabilities within the NVD is Hard
To perceive the scope of the issue, contemplate the next six circumstances that make it extraordinarily tough, if not unattainable, to seek for element and product vulnerabilities within the NVD, because of its reliance on CPEs as the only identifier.
1. Vulnerabilities are recognized within the NVD with a typical vulnerabilities and exposures (CVE) quantity, e.g., “CVE-2022-12345,” and the Common Vulnerability Scoring System (CVSS) is used to assign a risk degree to every CVE. A CPE is often not created for a software program product till a CVE is assigned to it. However, many software program suppliers have by no means reported a vulnerability (which might generate a CVE), so a CPE has by no means been created for the product within the NVD.
This isn’t essentially as a result of the merchandise have by no means had vulnerabilities, however as a result of the developer could not have reported any current vulnerabilities to the NVD.
As a end result, an NVD search will yield a “No matching data” response in each of the next situations:
(i) a vulnerability doesn’t exist in a given product
(ii) a vulnerability exists however has by no means been reported by the developer
2. Since there isn’t any error checking carried out when a brand new CPE title is entered within the NVD, it’s doable to create a product CPE that doesn’t observe a constant naming conference. As a end result, when a person searches for the product utilizing the correctly specified CPE, they may obtain a “There are 0 matching data” error message. This is identical message they’d obtain if the unique (off-specification) CPE title have been used however there have been no CVEs reported towards it.
When a person receives this message, it may imply there’s a legitimate CPE for the product they’re looking out on, however a CVE has by no means been reported for that product, however it may additionally imply the CPE they entered doesn’t match the CPE within the NVD, and that there are, in actual fact, CVEs hooked up to the (off-specification) CPE title submitted to the NVD.
The “There are 0 matching data” error message may additionally end result if a person misspells the CPE title within the search bar. In this occasion, the person would haven’t any manner of figuring out that the message was generated by a typo, and as an alternative may assume the product has no reported vulnerabilities.
3. Over time, a product or provider title could change because of a merger or acquisition, and the CPE title for the product could change as nicely. In this case, if a person searches for the unique CPE, not the brand new CPE, they’d not find out about new vulnerabilities. As earlier than, they’d obtain the “There are 0 matching data” message.
4. This additionally applies for various variations of provider or product names, corresponding to “Microsoft” and “Microsoft Inc.,” or “Microsoft Word” and “Microsoft Office Word,” and many others. Without the precise right provider or product title, an NVD search will yield incorrect outcomes.
5. The similar product can have a number of CPE names within the NVD if they’re entered by totally different individuals who every use a unique iteration. This could make it nearly unattainable to find out which title is right. To make issues worse, if CVEs have been entered for every of the CPE variants, it will end result of their being no “right” title. One instance is OpenSSL (e.g., “OpenSSL” versus “OpenSSL Framework”). Since no single CPE title accommodates all of the OpenSSL vulnerabilities, customers should search individually for every variation of the product title.
6. In many instances, a vulnerability will solely have an effect on one module of a library. However, since CPE names are assigned on the premise of merchandise, not the person modules they include, customers have to learn the total CVE report to find out which module is susceptible. If they do not, this may end up in pointless patching or mitigations, like when a susceptible module isn’t put in in a software program product getting used however different modules of the library are.
Fortunately, a cross-industry group referred to as the SBOM Forum that features members of OWASP, The Linux Foundation, Oracle, and others are engaged on the issue and have developed a proposal to enhance the accuracy of the NVD with a deal with fashionable, automated use instances.
The group’s suggestions, together with the adoption of a package deal URL (purl) for software program and GS1 Standards for {hardware}, are designed to create a standardized technique to reliably question the NVD and obtain correct info on vulnerabilities.