certifi CPE? (Common Platform Enumeration)

[pcreager23]

@Lukasa , et al,
I'm working with NVD to get them to correct the CPEs for certifi (re: CVE-2024-39689).

Can someone confirm what the correct CPE format is for certifi?
cpe:2.3:a:certifi_project:certifi:*:*:*:*:*:*:*:*
cpe:2.3:a:python-certifi:certifi:*:*:*:*:*:*:*:*
cpe:2.3:a:certifi:certifi:*:*:*:*:*:*:*:*

Thanks

[alex]

I don't know the answer to this (I doubt Cory does either). How are we supposed to know what is correct?

[pcreager23]

The CPE naming spec is here: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf

The doubt for many FOSS package centers around the 'vendor' field, which identifies the "the person or organization that manufactured or created the product", i.e. the project developer.

The goal is to improve the accuracy of vulnerability scanning tools, such as grype.

[alex]

I suppose if I had to pick, I'd say the vendor is "certifi", since that's the name of the github org.

But really, CPEs don't seem super useful.

[pcreager23]

I'd say the vendor is "certifi", since that's the name of the github org.

Thanks, I will pass that along.

The doubt was:
certifi / python-certifi - it indicates the Python version of certifi, but "python-" is not part of the actual package name.

But really, CPEs don't seem super useful.

Indeed. Unfortunately, some scanners default to CPE matching, and the CPE string identified by NVD is ingested as part of the vulnerability feed, so getting it right will prevent false positive detections.