We currently ignore the AND branch, see #251, losing approx. 1k unique CVEs. Some of these could be matched.
Our CPE classifier is matching CPEs one by one. This means that no additional CPE matching is required, it merely suffices to enforce AND condition (i.e., search for both children in CPE matches) before declaring a CVE match.
Some of the CVEs contain vulnerable configurations that are specified as follows:
OR
componentsAND
at the root, where left child is a list of vulnerable platforms withOR
operator and right child is a vulnerable osAn example of such vuln. is: https://nvd.nist.gov/vuln/detail/CVE-2010-2325
We currently ignore the
AND
branch, see #251, losing approx. 1k unique CVEs. Some of these could be matched.Our CPE classifier is matching CPEs one by one. This means that no additional CPE matching is required, it merely suffices to enforce
AND
condition (i.e., search for both children in CPE matches) before declaring a CVE match.