adamjanovsky
commented
2 years ago As a hotfix, we started ignoring the ANDed vulnerable configurations, getting rid of false positives but missing some matches as a trade off. Long term solution is left as a future work here #252
When NVD published CPEs linked to a given CPE they sometimes do so in the form of a tree, with AND and OR expressions between sets of CPEs. For example see https://nvd.nist.gov/vuln/detail/CVE-2015-3055.
However, during processing we lose this expression information and just have a set of CPEs: https://seccerts.org/vuln/cve/CVE-2015-3055.
Thus, we have false positives where we match a CVE to a certificate even though it doesn't fit into the expression: https://seccerts.org/fips/a81824dad073f33c/#cves
We should store this tree expression in the CVE and mark a certificate as vulnerable to it only if the tree expression is satisfied (e.g. we have matched all the CPEs in the AND to the certificate).