About NVD
+
CPE
cpe_match 含义: 举例:
"configurations": {
"CVE_data_version" : "4.0",
"nodes" : [ {
"operator" : "AND",
"children" : [ {
"operator" : "OR",
"cpe_match" : [ {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*",
"versionStartIncluding" : "10.3",
"versionEndExcluding" : "10.3.183.19"
}, {
"vulnerable" : true,
"cpe23Uri" : "cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*",
"versionStartIncluding" : "11.2",
"versionEndIncluding" : "11.2.202.233"
} ]
}, {
"operator" : "OR",
"cpe_match" : [ {
"vulnerable" : false,
"cpe23Uri" : "cpe:2.3:o:apple:mac_os_x:-:*:*:*:*:*:*:*"
}, {
"vulnerable" : false,
"cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
}, {
"vulnerable" : false,
"cpe23Uri" : "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"
} ]
} ]
}]
上面是一个典型的CPE_MATCH的例子,不过可以简化成如下:
"operator": "AND",
"children" : [ {
"operator" : "OR",
"cpe_match" : [ {
...
} ]
}, {
"operator" : "OR",
"cpe_match" : [ {
...
} ]
} ]
可以看到children
包含两个部分,这两个部分的关系由和children
统计的operator
描述,在上面的例子中,关系为AND
,也就是说如需匹配
到这个漏洞,需要匹配到children
中两个部分的cpe23Uri
,在各个部分中又有operator
来描述本部分cpe23Uri
的关系,本例子中均为OR
。
假如我们有个操作系统,CPE描述如下:cpe:/o:microsoft:windows_vista:6.0:sp1:~-~home_premium~-~x64~-
, 这个CPE仅仅符合了Part2,
并没有,命中Part1中的cpe23uri
, 并且vulnerable
为 false,所以不能百分百确定该系统一定有该漏洞。
vulnerable
: 脆弱性versionEndIncluding
: 版本之前 <=versionStartIncluding
: 版本之后 >=versionStartExcluding
: 版本之后 >versionEndExcluding
: 版本之前 <
参考
[1] https://nvd.nist.gov/vuln/Vulnerability-Detail-Pages
[2] https://csrc.nist.gov/schema/nvd/feed/1.1/nvd_cve_feed_json_1.1.schema
[3] https://csrc.nist.gov/schema/nvd/feed/1.1/nvd_cve_feed_json_1.0.schema
[4] https://arxiv.org/pdf/1705.05347.pdf (Software Vulnerability Analysis Using CPE and CVE)