Hello again,
upon updating our cve-search instance from v4 to v5, and repopulating the database, we noticed that a few thousand CPEs had gone missing from the cve-search API's /cvefor/ route due to missing vulnerable_configurations on these CVEs.
Looking at core/database_maintenance/sources_process.py l.555-600, we found that the affected CVEs were those with a version range in their NVD criteria but no matching CPEs. One such example is CVE-1999-0176 (https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-1999-0176).
This behavior is inconsistent with CVEs that have no version range (e.g. CVE-1999-0196), which still have a fallback when CPE-less in version 5, and thus still have their vulnerable_configuration and are still found by cve-search.
I've got a patch ready that restores the old behavior and adds the fallback to CVEs with versions ranges. This is not ideal but would fix this regression in the meantime.
Hello again,
upon updating our cve-search instance from v4 to v5, and repopulating the database, we noticed that a few thousand CPEs had gone missing from the cve-search API's /cvefor/ route due to missing
vulnerable_configurations on these CVEs.Looking at
core/database_maintenance/sources_process.py l.555-600, we found that the affected CVEs were those with a version range in their NVD criteria but no matching CPEs. One such example is CVE-1999-0176 (https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-1999-0176).This behavior is inconsistent with CVEs that have no version range (e.g. CVE-1999-0196), which still have a fallback when CPE-less in version 5, and thus still have their
vulnerable_configurationand are still found by cve-search.I've got a patch ready that restores the old behavior and adds the fallback to CVEs with versions ranges. This is not ideal but would fix this regression in the meantime.