Re: git: 4164ab866d06 - main - lang/njs: Fix CPE information
- In reply to: Sergey A. Osokin: "Re: git: 4164ab866d06 - main - lang/njs: Fix CPE information"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 25 Mar 2022 13:10:46 UTC
---- On Fri, 25 Mar 2022 04:47:15 +0100 Sergey A. Osokin <osa@freebsd.org> wrote ---- > Hi Bernhard, > > hope you're doing well. > > On Fri, Mar 18, 2022 at 11:01:04PM +0000, Sergey A. Osokin wrote: > > On Fri, Mar 18, 2022 at 10:04:55PM +0100, decke@freebsd.org wrote: > > > ---- On Fri, 18 Mar 2022 19:01:43 +0100 > > > > > On Fri, Mar 18, 2022 at 03:55:49PM +0000, Bernhard Froehlich wrote: > > > > > [...] > > > > > > > > > > -CPE_VENDOR= f5 > > > > > -CPE_PRODUCT= njs > > > > > +CPE_VENDOR= nginx > > > > > > > > Why? > > > > > > > Because the CPE entry was wrong and does not exist in the CPE > > > dictionary. Have a look at a recent CVE for njs and you will see > > > that they use nginx:njs, https://nvd.nist.gov/vuln/detail/CVE-2021-46463 > > > > Thanks for sharing this, Bernhard, I'll take a look on that. > > The CVE's been updated, could you please revert your commit. > > Thank you. > > -- > Sergey A. Osokin > Hi Sergey, thanks for the heads up. As you have already seen NIST has deprecated nginx:njs now and replaced this and all other existing entries with f5:njs like you already had before. Now it looks okay in their database. https://nvd.nist.gov/vuln/detail/CVE-2021-46463#VulnChangeHistorySection https://nvd.nist.gov/products/cpe/detail/1150272?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3A*%3Anjs&status=FINAL So I'm happy to revert it and have done so a few seconds ago. Btw, my tool chkcpe has also noticed that the entry is deprecated now and told me to have a look. So it's all working as expected - which is good. https://github.com/decke/chkcpe/wiki/deprecated Thanks!