When registering software using the CPE Search, the product or version may not appear in the list of candidates. This is because the target product or version is not registered in NVD or JVN, which are data sources for CPE search in FutureVuls.
Please refer to Update CPE and update the relevant CPE version. The task status of the updated CPE will be changed at the time of the next scan.
Please search from NVD’s CPE search page.
Please be careful when registering CPEs. Please be careful when registering for CPE. If you make a mistake, you may get undetected or false positives.
Reference: NVD search result of JDK
Yes, you can. You can either enter directly in the version field or or by direct input of CPE.
Yes, it can. For details, please refer to Detecting Japanese software vulnerabilities with jvn.
[Task > Trust](/release-note/20210730/#%E6%A4%9C%E7%9F%A5%E3%81%95%E3%82%8C%E3%81%9F%E8%84%86%E5%BC%B1%E6%80%A7%E3%81%AE%E4%BF%A1%E9%A0 BC%E5%BA%A6%E3%82%92%E8%A1%A8%E7%A4%BA) is low, the task may be a false positive.
As of August 2021, scans using JVN have possible false positives.
FutureVuls can detect software vulnerabilities other than OS package management as listed below by registering CPE on the screen.
The information source for FutureVuls’ CPE scan is NVD’s JSON Feed. Specifically, the CPE Configuration column of the NVD’s JSON Feed is used for detection. If the Configurations information is registered in the NVD, it can be detected, but not if it is not registered.
Reference: CVE-2020-17530
No. CPE registration itself is possible, but it is useless due to false positives for the following two reasons
Details are explained below.
When an OS CPE is registered, all vulnerabilities associated with that OS and version registered in the NVD are detected. It does not know that a particular software update has been made. Therefore, vulnerabilities that have already been resolved through software updates will continue to be detected on Fvuls.
Here are the specifics (version is appropriate)
2.0.0-a
was shipped with RHEL7 release.2.0.0-a
and registered with NVD2.0.0-b
.2.0.0-b
, so CVE-2021-0001 continues to be detectedThe above over-detection makes the OS CPE scan practically useless.
Also, CPE scan of “package manager-managed software” causes false positives. Major Linux distributions such as RHEL, Ubuntu, and Debian provide updates through the backport mechanism. (Reference: [RHEL backporting](htt