We currently ignore the AND branch, see #251, losing approx. 1k unique CVEs. Some of these could be matched.
Our CPE classifier is matching CPEs one by one. This means that no additional CPE matching is required, it merely suffices to enforce AND condition (i.e., search for both children in CPE matches) before declaring a CVE match.
Some of the CVEs contain vulnerable configurations that are specified as follows:
ORcomponentsANDat the root, where left child is a list of vulnerable platforms withORoperator and right child is a vulnerable osAn example of such vuln. is: https://nvd.nist.gov/vuln/detail/CVE-2010-2325
We currently ignore the
ANDbranch, see #251, losing approx. 1k unique CVEs. Some of these could be matched.Our CPE classifier is matching CPEs one by one. This means that no additional CPE matching is required, it merely suffices to enforce
ANDcondition (i.e., search for both children in CPE matches) before declaring a CVE match.