#1775: validate and update CPE vendor and product for all tools#1796
#1775: validate and update CPE vendor and product for all tools#1796MarvMa wants to merge 12 commits intodevonfw:mainfrom
Conversation
…evonfw#1787-yarn-version-broken
… non existent cpes
MarvMa
changed the title
MarvMa
added
security
Added a new entry for the 2026.04.002 release with features and bugfixes.
Coverage Report for CI Build 24077258119Coverage increased (+0.04%) to 70.681%Details
Uncovered ChangesNo uncovered changes found. Coverage Regressions54 previously-covered lines in 12 files lost coverage.
Coverage Stats
💛 - Coveralls |
…evonfw#1775-validate-cve-reportings # Conflicts: # CHANGELOG.adoc
…/github.com/MarvMa/IDEasy into bugfix/devonfw#1775-validate-cve-reportings
|
Wrongly committed changes have been removed from this PR. |
hohwille
left a comment
hohwille
left a comment
There was a problem hiding this comment.
@MarvMa thank you for your PR. Great that you helped to improve this advanced topic.
CVE metadata is still complex and partially messy so not easy to figure out and get everything right. I also did not have it easy to do a review of your PR.
To summarize: Great job and good step forward 👍
I still cannot say that we got everything right now. However lets complete and merge and then create individual tickets for future fixes and improvements.
Have a look at my review comments, please.
| @Override | ||
| public String getCpeVendor() { | ||
| return "astral-sh"; | ||
| return "astral"; |
There was a problem hiding this comment.
IMHO this change is incorrect.
See e.g. https://cveawg.mitre.org/api/cve/CVE-2025-54368
| @Override | ||
| public String getCpeProduct() { | ||
| return "vscode"; | ||
| return "visual_studio_code"; |
There was a problem hiding this comment.
Seems fully correct.
However, just to open some discussion...
Looking at an example:
https://cveawg.mitre.org/api/cve/CVE-2025-64660
I see this:
"vendor":"Microsoft","product":"Visual Studio Code"
But also this:
"criteria":"cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*"
After digging in this CVE jungle I get the impression that the original methods getCpeProduct() and getCpeVendor() where actually planned for the properties vendor and product but later the implementation was actually based on CPE criteria property.
To make it even more complex, there are CVEs that only have vendor and product but no CPE criteria property.
| @Override | ||
| public String getCpeVendor() { | ||
| return "jenkinsci"; | ||
| return "jenkins"; |
There was a problem hiding this comment.
Also no CPE in CVEs like https://cveawg.mitre.org/api/cve/CVE-2026-33001
| @Override | ||
| public String getCpeProduct() { | ||
|
|
||
| return "jdk"; |
There was a problem hiding this comment.
Still not convinced about this one. See e.g.
https://cveawg.mitre.org/api/cve/CVE-2025-21587
"criteria": "cpe:2.3:a:oracle:java_se:17.0.14:*:*:*:*:*:*:*"
There was a problem hiding this comment.
So IMHO here we have two products: jdk and java_se.
Please have a look and see if you can agree with my observation or not.
If we agree, we maybe create a new issue for that (Support multiple values for CPE product), merge this PR and plan a new PR to fix the new issue.
| @Override | ||
| protected String getEdition() { | ||
|
|
||
| return "java"; | ||
| } | ||
|
|
There was a problem hiding this comment.
The method getEdition() defaults to the same value as getTool(). We only need to override for special editions.
| @Override | |
| protected String getEdition() { | |
| return "java"; | |
| } |
3 participants
This PR fixes #1775
Implemented changes:
collect-cpe-report.sh
Checklist for this PR
Make sure everything is checked before merging this PR. For further info please also see
our DoD.
mvn clean testlocally all tests pass and build is successful#«issue-id»: «brief summary»(e.g.#921: fixed setup.bat). If no issue ID exists, title only.In Progressand assigned to you or there is no issue (might happen for very small PRs)with
internal