Various pointers / help had been already given previously in the documentation and it is currently not clear if all got followed.
Just to summarize what’s required:
- A “full and fast” scan against the target
- Having “Add results to Assets” in the scan config set to “yes”
- One or application detected previously with a registered CPE including a version (e.g.
cpe:/a:apache:http_server:2.4.22
)- This can be verified via the “log” level message of the “CPE Inventory” (OID: 1.3.6.1.4.1.25623.1.0.810002) VT
- A search like e.g. https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=cpe%3A%2Fa%3Aapache%3Ahttp_server%3A2.4.22&search_type=all&isCpeNameSearch=true returning any CVE for the product / CPE in question
- And finally running a CVE scan against the same target
Notes:
- There might be additional unknown constraints which are required to get useful data
- CVE scans not matching the expected CVE-2021-23017 could be still an issue which prevents a working CVE scan