CPEs with ':' in the product or vendor are parsed incorrectly

[maxime-huyghe]

Hi, I noticed that some CPEs have :s, resulting in incorrect vendor and/or product names. Examples of this behavior are cpe:2.3:a:acf\:_better_search_project:acf\:_better_search:-:*:*:*:*:wordpress:*:* and cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:0.29:*:*:*:*:perl:*:*. This can be fixed by splitting on a regex ((?<!\\):) instead of :. I grepped for relevant uses of split(":") but I am unsure whether I caught all instances of the issue or not.

I will attach a PR with the fixes, can you please take a look ? Thanks in advance

[P-T-I]

Cool, thank you! I'll take a look at the pr!

[oh2fih]

The issue could be confirmed with, e.g., CVE-2024-23525 & CVE-Search v5.0.1-dev:

• external https://nvd.nist.gov/vuln/detail/CVE-2024-23525 has cpe:2.3:a:tozt:spreadsheet\:\:parsexlsx:*:*:*:*:*:perl:*:*
• 4.2.2 https://cvepremium.circl.lu/cve/CVE-2024-23525 has it too, as it is running older CVE-Search without CveXplore.
• 5.0.1+dev http://localhost/cve/CVE-2024-23525 does not show any Vulnerable Configurations.

UPDATE: The #269 fixes this; I have done the testing as described in https://github.com/cve-search/CveXplore/pull/269#pullrequestreview-1985177042.