CPE search failed.

[asadjaffar]

What happened: I was scanning a SBOM with lucene component, but it failed to show me the vulnerability, I am attaching all the commands i used and the SBOM with it.

asad@asad-Lenovo-V330-15IKB:~/grype$ cat 5q46iw4f.cdx.json
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:58cc390b-f566-484a-8b03-f8ee06087669",
"version": 1,
"metadata": {
"timestamp": "2024-01-29T12:51:10Z",
"tools": {
},
"authors": [
{
"name": "Martin Rosso",
"email": "[email protected]"
}
],
"manufacturer": {
"name": "Universita degli Studi di Padova, Dipartimento di Matematica",
"address": {
"country": "Italy",
"locality": "Padua"
},
"url": ["https://www.math.unipd.it/"]
},
"supplier": {
"name": "OWASP",
"url": ["https://owasp.org/"]
},
"component": {
"bom-ref": "REF-juiceshop",
"type": "application",
"name": "OWASP Dependency-Track",
"version": "4.12.3",
"author": "OWASP",
"publisher": "OWASP",
"supplier": {"name": "OWASP"},
"copyright": "Apache 2.0"
},
"licenses": [ {"license": {"id": "CC-BY-4.0"} } ],
"properties": [
{
"name": "comment",
"value": "Minimal SBOM for research and education"
}
]
},
"components": [
{
"bom-ref": "REF-lucene",
"type": "library",
"name": "lucene",
"version": "8.11.4",
"cpe": "cpe:2.3:a:apache:lucene:8.11.4:::::::*"
}
],
"dependencies": [
{
"ref": "REF-juiceshop",
"dependsOn": ["REF-lucene"]
}
],
"vulnerabilities": []
}

asad@asad-Lenovo-V330-15IKB:~/grype$ grype version
Application: grype
Version: 0.91.0
BuildDate: 2025-04-01T15:59:35Z
GitCommit: 57d4a7c
GitDescription: v0.91.0
Platform: linux/amd64
GoVersion: go1.24.1
Compiler: gc
Syft Version: v1.22.0
Supported DB Schema: 6

asad@asad-Lenovo-V330-15IKB:~/grype$ grype sbom:5q46iw4f.cdx.json
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found

asad@asad-Lenovo-V330-15IKB:~/grype$ grype db search CVE-2024-45772
VULNERABILITY PACKAGE ECOSYSTEM NAMESPACE VERSION CONSTRAINT
CVE-2024-45772 cpe:2.3:a:org.apache.lucene:lucene-replicator:::::maven:* maven nvd:cpe >= 4.4.0, < 9.12.0
asad@asad-Lenovo-V330-15IKB:~/grype$

link to the NVD:

https://nvd.nist.gov/products/cpe/detail/2384A375-67BE-4E05-B167-EBC3E33B38AC?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Aapache%3Alucene%3A8.11.4%3A*%3A*%3A*%3A*%3A*%3A*%3A*&status=FINAL

Thanks.

[spiffcs]

Ahh I see where this is going wrong:

Using the CVE from the issue and this query against the DB v6:

SELECT 
    vh.*, 
    ach.*, 
    c.*
FROM 
    vulnerability_handles vh
JOIN 
    affected_cpe_handles ach 
    ON vh.id = ach.vulnerability_id
JOIN 
    cpes c 
    ON ach.cpe_id = c.id
WHERE 
    vh.name = 'CVE-2024-45772'
LIMIT 10;

org.apache.lucene	lucene-replicator maven	

The above is the CPE information we have for CVE-2024-45772 - this comes from the GHSA entry:
GHSA-g643-xq6w-r67c.

If you construct the CPE as shown in the above entry using org.apache.lucene as vendor and lucene-replicator as the product then the entry will show correctly.

[asadjaffar]

Ahh I see where this is going wrong:

Using the CVE from the issue and this query against the DB v6:

SELECT 
    vh.*, 
    ach.*, 
    c.*
FROM 
    vulnerability_handles vh
JOIN 
    affected_cpe_handles ach 
    ON vh.id = ach.vulnerability_id
JOIN 
    cpes c 
    ON ach.cpe_id = c.id
WHERE 
    vh.name = 'CVE-2024-45772'
LIMIT 10;

org.apache.lucene	lucene-replicator maven	

The above is the CPE information we have for CVE-2024-45772 - this comes from the GHSA entry: GHSA-g643-xq6w-r67c.

If you construct the CPE as shown in the above entry using org.apache.lucene as vendor and lucene-replicator as the product then the entry will show correctly.

As mentioned that this cve is coming from GHSA, does that means grypedb don't query NVD, as the CPE in the SBOM is valid, so in a case, if such CPE is present in a SBOM, and grype shows "no CVE", it won't mean that there is no vulnerability present there.

[spiffcs]

As mentioned that this cve is coming from GHSA, does that means grypedb don't query NVD, as the CPE in the SBOM is valid, so in a case, if such CPE is present in a SBOM, and grype shows "no CVE", it won't mean that there is no vulnerability present there.

That's a good question!

Grype doesn't directly query nvd over the network. It uses grype-db as it's data source which is a combination of multiple vulnerability datasources including NVD. For some packages we use cpe matching depending on the configuration:

match:
  # sets the matchers below to use cpes when trying to find
  # vulnerability matches. The stock matcher is the default
  # when no primary matcher can be identified.
  java:
    using-cpes: false
  python:
    using-cpes: false
  javascript:
    using-cpes: false
  ruby:
    using-cpes: false
  dotnet:
    using-cpes: false
  golang:
    using-cpes: false
    # even if CPE matching is disabled, make an exception when scanning for "stdlib".
    always-use-cpe-for-stdlib: true
    # allow main module pseudo versions, which may have only been "guessed at" by Syft, to be used in vulnerability matching
    allow-main-module-pseudo-version-comparison: false
  stock:
    using-cpes: true

Here is a copy of our current NVD data override for this record:
https://github.com/anchore/nvd-data-overrides/blob/main/data/2024/CVE-2024-45772.json

I'll see about getting the original node added here, but there might be some software that is detected as apache:lucene which presents a false positive for CVE-2024-45772 when org.apache.lucene lucene-replicator is the correct match and not lucene