NIST Product Matching vs DT Vulnerable Software CPE matching and determining vendor

[officerNordberg]

In version 4.9.0 of DependencyTrack vulnerabilities for cpe:2.3:a:pascom_cloud_phone_system:*:*:*:*:*:*:*:*:* are assigned to components with cpe:2.3:a:*:libcap:2.66:*:*:*:*:*:*:*

While looking into options for removing * from the vendor of as many components as possible I looked to NIST's product API for assistance and my search resulted in what one would expect for https://services.nvd.nist.gov/rest/json/cpes/2.0?cpeMatchString=cpe:2.3:a:*:libcap:2.66 and no mention of pascom_cloud_phone_system

{
    "resultsPerPage": 1,
    "startIndex": 0,
    "totalResults": 1,
    "format": "NVD_CPE",
    "version": "2.0",
    "timestamp": "2023-10-30T17:22:17.573",
    "products": [
        {
            "cpe": {
                "deprecated": false,
                "cpeName": "cpe:2.3:a:libcap_project:libcap:2.66:*:*:*:*:*:*:*",
                "cpeNameId": "83B8D86D-B6E0-404C-9D99-CACA53B31BB8",
                "lastModified": "2023-08-23T18:34:17.317",
                "created": "2023-06-14T03:55:02.353",
                "titles": [
                    {
                        "title": "libcap Project libcap 2.66",
                        "lang": "en"
                    }
                ],
                "refs": [
                    {
                        "ref": "https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.d9ygdose5kw",
                        "type": "Change Log"
                    }
                ]
            }
        }
    ]
}

This would work but the throttling on NIST's API even with a dev token made this process impractical for the number of components we have that contain * in the vendor part. Using DT's API in version 4.8.x I can get the same result for the slightly different query v1/search/vulnerablesoftware?cpe=cpe:2.3:a:*:libcap:2.66:*:*:*:*:*:*:*

{
    "results": {
        "vulnerablesoftware": [
            {
                "product": "libcap",
                "vendor": "libcap_project",
                "uuid": "84550618-b7ee-46bc-96a7-1188106ae463",
                "version": "2.66",
                "cpe23": "cpe:2.3:a:libcap_project:libcap:2.66:*:*:*:*:*:*:*",
                "cpe22": "cpe:/a:libcap_project:libcap:2.66"
            }
        ]
    }
}

The cpe parameter utilizes the Fuzzy Matcher while the query parameter is a straight Lucene lookup as far as I can tell. I'd like to rely on this as I've found that NISTs and SBOM producers data are both so slapdash and incongruous I'm better off manipulating my SBOMs to match downstream expectations.

Does anyone else have any other solution to divining vendor when you have none? poky has a seldom used optional CVE_PRODUCT in their recipes which may or may not supply the vendor. amzn in the vendor part is also a huge PITA as DT would have a difficult time implementing a ALAS integration.

[officerNordberg]

I ran those queries and created static mapping of 225~ identified product to vendor:product values and any missing mapping is handled by the same set of queries to DT which then fallback to the NVD API and finally just duplicate the product into the vendor to avoid * at all costs.