PHP CPEs not matching with detection

I started investigating this because I would expect NVT OID or to be triggered on CPE cpe:/a:php:php:7.4.26.

I think that the issue is that there is a mismatch between CPEs and the PHP detection.
The PHP Detection NVT detects CPE as cpe:/a:php:php:7.4.26. On the latest feeds there is no CPE for cpe:/a:php:php:7.4.26 - there is however a cpe:/a:php:php:7.4.26:- CPE.

It seems like PHP CPEs from 7.4.25 and up only exists with :- appended. I suspect that the issue is the NVTs are not able to make a match between detected CPEs without the leading :- and the ones with the leading :-


Not sure if I understand it correctly. AFAIU does the detection report it correctly with the cpe:/a:php:php:7.4.26 or is there already a mismatch? In case of a mismatch could you provide the output of the detection report?

What I’m currently not sure is where you get/see the cpe:/a:php:php:7.4.26:- from. Could you elaborate on this? As well what kind of scan config are you using (e.g. “Full and Fast”, or anything else)?


Hi Chris,

Thank you for your swift answer. Yes I think the detection report is reporting as it should.
But I suspect the issue is that it does find a match in the CPE list.

I have not been able to verify this, but I just noticed that while searching the CPE list with this filter: Applied filter: name~php:php:7\.4\.2 rows=100 sort=name first=1, there is no CPE listed for cpe:/a:php:php:7.4.26 - there is however one with :- appended.

I am however not sure this is the issue with previously mentioned NVTs, but as far as I understand from them, they make a look up in the CPE-list.
I guess it would be solved by just adding the CPEs without the :- appended. There is however no forum for the feeds anymore, so that is why I tried reporting it in this forum.

Okay, the detection works as expected :slight_smile:

The CPE list you mentioned above is using the annotation as used by NIST. However an actual scan (e.g. via Full and Fast) will always use the shortened/base CPE (in this case cpe:/a:php:php or cpe:/a:php:php:7.4.26).

Not sure if you have a possible false-negative from the mentioned VTs above ( 147657 and 147658). Note that they report with different QoDs (Quality of Detection) depending what OS was detected during the scan. E.g. on a Linux host you will have to lower the QoD to actually see the finding in a report.

Best regards,

1 Like

I see, thanks ckuerste. I have now noticed the 147657 VT is triggered with a QoD of 30.

Sorry for all the confusion about CPE matching :slight_smile:

1 Like

Some additional background which could help to understand some of the previously mentioned points: