CPE Scanning FAQs

When registering software using the CPE Search, the product or version may not appear in the list of candidates. This is because the target product or version is not registered in NVD or JVN, which are data sources for CPE search in FutureVuls.

  • If the target product does not appear
    • Automatic vulnerability detection is not possible because the product is not registered in the data source.
    • You need to manually manage vulnerabilities by checking with each vendor where they disclose vulnerabilities and how to check for them.
    • For the purpose of asset management, it is possible to [enter CPE](register in /en/manual/scan/cpe/#2-uri format or formattedstring format) named independently.
      • Please note that this will not be subject to vulnerability detection.
  • [If the target version does not appear](Can I register a version that does not appear in the ##cpe selection popup?)

I would like to know what to do on FutureVuls after implementing a software update for registered CPE.

Please refer to Update CPE and update the relevant CPE version. The task status of the updated CPE will be changed at the time of the next scan.

Is there any way to check if the registered CPE is correct?

Please search from NVD’s CPE search page.

Please be careful when registering CPEs. Please be careful when registering for CPE. If you make a mistake, you may get undetected or false positives.

Reference: NVD search result of JDK

Can I register a version that does not appear in the CPE selection popup?

Yes, you can. You can either enter directly in the version field or or by direct input of CPE.

Can I detect Japanese software?

Yes, it can. For details, please refer to Detecting Japanese software vulnerabilities with jvn.

Why does CPE scan give false positives?

[Task > Trust](/release-note/20210730/#%E6%A4%9C%E7%9F%A5%E3%81%95%E3%82%8C%E3%81%9F%E8%84%86%E5%BC%B1%E6%80%A7%E3%81%AE%E4%BF%A1%E9%A0 BC%E5%BA%A6%E3%82%92%E8%A1%A8%E7%A4%BA) is low, the task may be a false positive.

As of August 2021, scans using JVN have possible false positives.

Why are there CVEs that have pages in NVD but are not detected?

FutureVuls can detect software vulnerabilities other than OS package management as listed below by registering CPE on the screen.

  • OS and firmware of network devices
  • Commercial middleware such as Oracle WebLogic
  • Self-compiled software

The information source for FutureVuls’ CPE scan is NVD’s JSON Feed. Specifically, the CPE Configuration column of the NVD’s JSON Feed is used for detection. If the Configurations information is registered in the NVD, it can be detected, but not if it is not registered.

Reference: CVE-2020-17530

image

Can I register CPEs for my OS to manage vulnerabilities?

No. CPE registration itself is possible, but it is useless due to false positives for the following two reasons

  • a. CPE scan does not access the actual device, so it does not notice version upgrades and false positives occur.
  • b. False positives occur because the NVD used for CPE scan does not support backports.

Details are explained below.

a. CPE scan does not access the actual device, so it is unaware of version upgrades and false positives occur.

When an OS CPE is registered, all vulnerabilities associated with that OS and version registered in the NVD are detected. It does not know that a particular software update has been made. Therefore, vulnerabilities that have already been resolved through software updates will continue to be detected on Fvuls.

Here are the specifics (version is appropriate)

  • Apache 2.0.0-a was shipped with RHEL7 release.
  • Subsequently, CVE-2021-0001 was released for Apache 2.0.0-a and registered with NVD
  • At this point, a CPE scan of RHEL7 detected CVE-2021-0001
  • Update Apache to 2.0.0-b.
  • CPE scan without access to the actual machine does not notice the update to 2.0.0-b, so CVE-2021-0001 continues to be detected

The above over-detection makes the OS CPE scan practically useless.

b. False positives occur because the NVD used for CPE scanning does not support backports.

Also, CPE scan of “package manager-managed software” causes false positives. Major Linux distributions such as RHEL, Ubuntu, and Debian provide updates through the backport mechanism. (Reference: [RHEL backporting](htt