Skip to content

False negative CVE: no generated_cpe for com.mozilla.firefoxdeveloperedition resulting in missing vulnerabilities #48689

Description

@GrayW

Fleet versions 4.86.2 // 4.87.1

  • Discovered: 4.86.2
  • Reproduced: 4.86.2 // 4.87.1

Web browser and operating system: macOS 26


💥  Actual behavior

Fleet doesn't appear to be generating a cpe for com.mozilla.firefoxdeveloperedition, which should be tracking with standard, as there is no dedicated CPE for the developer edition. Example: cpe:2.3:a:mozilla:firefox:152.0.3:*.*.*.*:macos:*.*

{
  "software": {
    "id": 3879,
    "name": "Firefox Developer Edition",
    "version": "153.0",
    "bundle_identifier": "org.mozilla.firefoxdeveloperedition",
    "source": "apps",
    "extension_for": "",
    "browser": "",
    "generated_cpe": "",
    "vulnerabilities": null,
    "display_name": "",
    "last_opened_at": ""
  }
}

🛠️ Expected behavior

TODO

🧑‍💻  Steps to reproduce

These steps:

  • Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
  1. Deploy or install Mozilla Firefox Developer Edition
  2. fleetctl trigger --name=vulnerabilities

🕯️ More info (optional)

Metadata

Metadata

Assignees

No one assigned

    Labels

    #g-security-complianceSecurity & Compliance product group:productProduct Design department (shows up on 🦢 Drafting board)bugSomething isn't working as documentedcustomer-stazzema

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    📨 Inbox

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions