We can build up a list of known vulnerable c/c++ libraries by collecting the various git and svn URLs from the references for those CVEs that refer to a .c/c++ code in the description (Low precision). We can then augment this list by looking for similar URLs in the NVD CPE feeds.
We need a poc to experiment with better identification for c/c++ libraries with vulnerabilities.
With a local vuln-list repo, I am getting good hits from inside the NVD directory.
We can build up a list of known vulnerable c/c++ libraries by collecting the various git and svn URLs from the references for those CVEs that refer to a .c/c++ code in the description (Low precision). We can then augment this list by looking for similar URLs in the NVD CPE feeds.
https://nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
To improve precision, we may have to add more repos and CVEs to our data set manually.