CVE submitted via GitHub advisory targets wrong package

[taiki-e]

I have written three advisories in crossbeam-rs/crossbeam and obtained CVE via GitHub advisory for all of them.

• GHSA-v5m7-53cv-f3hx (package: crossbeam-channel)
• GHSA-pqqp-xmhj-wgcw (package: crossbeam-deque)
• GHSA-qc84-gqf4-9926 (package: crossbeam-utils)

Each of these advisories is for a different package in the same repository.

However, according to the CVE submitted by GitHub, it appears that these are all treated as crossbeam package issues, which causes issues to be reported in the wrong packages or not reported in packages that should be reported (crossbeam-rs/crossbeam#1151).

• https://nvd.nist.gov/vuln/detail/CVE-2020-15254

  cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:*:*:*

• https://nvd.nist.gov/vuln/detail/CVE-2021-32810

  cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:*:*:*

• https://nvd.nist.gov/vuln/detail/CVE-2022-23639

  cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:rust:*:*

[darakian]

Hey @taiki-e 👋
Sorry for the annoyance, that you're dealing with but we (GitHub) don't actually add those cpe values. If you check the history on the nvd pages you'll see that nvd themselves add the cpes. For what its worth they have a contact email listed here
https://nvd.nist.gov/products/cpe
which you can ping. Sorry for giving you a run around 😞

[taiki-e]

@darakian Thanks for the advice. I sent email to NVD CPE team.

[darakian]

Right on 👍
I'm gonna close this issue as there's nothing we can do for you, but feel free to comment more or reopen if you need/want to :)