This is expected behavior. Not having a CVE ID does not mean a finding is a "false positive" or that it is unimportant. It simply means the issue falls into a category of security weakness that isn't tracked by the global CVE system.
The Difference Between Software Bugs and Security Weaknesses
To understand why some IDs are missing, it helps to distinguish between a specific software flaw and a general security weakness.
1. Configuration Issues (No CVE)
CVE's track flaws in specific versions of public software (e.g., a specific version of a web server or database). However, many security risks arise from how that software is configured, rather than the software itself.
- Example: A missing
Content-Security-Policyheader or an exposed.gitdirectory is a serious risk, but it is a configuration choice, not a bug in the server software. Therefore, it will not have a CVE.
2. Custom Application Logic (No CVE)
Our scanning engine tests your proprietary applications and custom code. If we find a vulnerability in your specific login page or API, that vulnerability is unique to your organization.
- Example: If your custom code allows a Cross-Site Scripting (XSS) attack, this is a valid vulnerability. However, because your code is not publicly distributed software, there is no public CVE entry for it.
3. General Best Practices
Some findings flag deviations from industry best practices rather than exploitable hacks.
- Example: Using an older SSL/TLS certificate or weak cipher suites. These are flagged to help you harden your security posture, but they are often categorized as general weaknesses rather than specific CVEs.