Prisma Cloud Compute: Why is the "fix status" empty for some NVD CVEs despite a fix being available?

• Prisma Cloud Compute (self-hosted)
• Prisma Cloud Enterprise (SaaS)

• Generally, for application CVEs and jar CVEs, we source the data from NVD.
• NVD does not have any status field and they do not provide any fixed versions, only affected versions.
• For NVD we try our best to parse a fix status based on the affected versions and the description.
  • For the description:
    • In the description we look for certain phrases like “fixed in x”
  • For affected versions:
    • In affected version conditions, if we see something like <x, then we can assume x is a fix version and fill a status based on that.
    • In affected version conditions, if we see only affected versions (<=x or Up to (including) x as NVD lists it), we cannot make assumptions about the fix version.
    • For example if we see <=1.9.13 we don’t know if the fix version is 1.9.14 or 2.0 or if there is one at all.Since we cannot parse a fix status based on the data NVD gives us and we do not want to make any false assumptions, the status is left blank.
      
      This is the expected behavior for NVD CVEs where the fix version is not clear.

View our documentation here on scan reports.