This repository has been archived by the owner on Dec 1, 2024. It is now read-only.

wrong CPE matching #211

Open

kisscool opened this issue Jun 2, 2023 · 0 comments

kisscool commented Jun 2, 2023

Some otherwise valid CPE identifiers produce wrong matchings.

As an example, this match is good :

$ echo 'cpe:2.3:a:clamav:clamav:1.0.0:*:*:*:*:*:*:*' | cpe2cve -cpe=1 -cve=2 ./nvd/nvdcve-1.1-*.json.gz
cpe:2.3:a:clamav:clamav:1.0.0:*:*:*:*:*:*:*     CVE-2023-20032
cpe:2.3:a:clamav:clamav:1.0.0:*:*:*:*:*:*:*     CVE-2023-20052

But this one matches CVE-2021-45967 which has nothing to do with clamav :

$ echo 'cpe:2.3:a:*:clamav:1.0.0:*:*:*:*:*:*:*' | cpe2cve -cpe=1 -cve=2 ./nvd/nvdcve-1.1-*.json.gz
cpe:2.3:a:*:clamav:1.0.0:*:*:*:*:*:*:*  CVE-2023-20052
cpe:2.3:a:*:clamav:1.0.0:*:*:*:*:*:*:*  CVE-2021-45967
cpe:2.3:a:*:clamav:1.0.0:*:*:*:*:*:*:*  CVE-2023-20032

The text was updated successfully, but these errors were encountered:

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.