Wrong CVE getting reported for CPE id

[shraddha0923]

Hi,

I am adding MT47H64M16NF25E component in dependency tracker. Original listed CPE is cpe:2.3:h:micron:ddr4_sdram:-:::::::*
When I change the CPE to cpe:2.3:h:micron:ddr2_sdram:-:::::::*, it is still showing me the CVE-2020-10255. If we check the CVE in nvd, there is no such CPE id listed in CVE-2020-10255.
Which parameters are considered while assigning CVE to particular CPE?

[syalioune]

Hello @shraddha0923
This is indeed an issue which was coincidentally opened here #2747
The problem is that as long as the component exists, vulnerability association is append-only.
See :

• Vulnerabilities is not changed when CPE and Version change manually  #2747
• After Component update, only CVEs related to updated CPE should be available #2284

[shraddha0923]

Do we have any solution on this? How do we delete the CVE?

[syalioune]

You have to remove the component and add a new component with the correct CPE