About NVD

December 24, 2019 1 minute

CPE

cpe_match 含义: 举例:

"configurations": {
  "CVE_data_version" : "4.0",
  "nodes" : [ {
    "operator" : "AND",
    "children" : [ {
      "operator" : "OR",
      "cpe_match" : [ {
        "vulnerable" : true,
        "cpe23Uri" : "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*",
        "versionStartIncluding" : "10.3",
        "versionEndExcluding" : "10.3.183.19"
      }, {
        "vulnerable" : true,
        "cpe23Uri" : "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*",
        "versionStartIncluding" : "11.2",
        "versionEndIncluding" : "11.2.202.233"
      } ]
    }, {
      "operator" : "OR",
      "cpe_match" : [ {
        "vulnerable" : false,
        "cpe23Uri" : "cpe:2.3:o:apple:mac_os_x:-:*:*:*:*:*:*:*"
      }, {
        "vulnerable" : false,
        "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
      }, {
        "vulnerable" : false,
        "cpe23Uri" : "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"
      } ]
    } ]
  }]

上面是一个典型的CPE_MATCH的例子,不过可以简化成如下:

"operator": "AND",
  "children" : [ {
    "operator" : "OR",
    "cpe_match" : [ {
      ...
    } ]
  }, {
    "operator" : "OR",
    "cpe_match" : [ {
      ...
    } ]
  } ]

可以看到children包含两个部分,这两个部分的关系由和children统计的operator描述,在上面的例子中,关系为AND,也就是说如需匹配 到这个漏洞,需要匹配到children中两个部分的cpe23Uri,在各个部分中又有operator来描述本部分cpe23Uri的关系,本例子中均为OR。 假如我们有个操作系统,CPE描述如下:cpe:/o:microsoft:windows_vista:6.0:sp1:~-~home_premium~-~x64~-, 这个CPE仅仅符合了Part2, 并没有,命中Part1中的cpe23uri, 并且vulnerable 为 false,所以不能百分百确定该系统一定有该漏洞。

  • vulnerable: 脆弱性
  • versionEndIncluding: 版本之前 <=
  • versionStartIncluding: 版本之后 >=
  • versionStartExcluding: 版本之后 >
  • versionEndExcluding: 版本之前 <

参考

[1] https://nvd.nist.gov/vuln/Vulnerability-Detail-Pages

[2] https://csrc.nist.gov/schema/nvd/feed/1.1/nvd_cve_feed_json_1.1.schema

[3] https://csrc.nist.gov/schema/nvd/feed/1.1/nvd_cve_feed_json_1.0.schema

[4] https://arxiv.org/pdf/1705.05347.pdf (Software Vulnerability Analysis Using CPE and CVE)