Spurious linux_kernel CVEs, cpe string handling.

Describe the bug linux_kernel is associated with more CVEs than it should.

Some cpe strings in NVD json files have linux_kernel:* value for "target software : target hardware" fields. For example:

cpe:2.3:a:accelatech:bizsearch:3.2:-:*:*:*:linux_kernel:*:*

While this is arguably an NVD data error (this should probably be linux, not linux_kernel), this is also an avoidable case. EMBA seems to look for product:version and product:* anywhere in the string. In the above case, there was no start/end version, only a single product version in the cpe string itself, 3.2, for product bizsearch. However, EMBA sees linux_kernel:* and will happily match any detected kernel version in a firmware image. Had there been start/end versions, they would probably have been applied to match linux_kernel version, incorrectly.

Examples of incorrectly matched CVEs:

In theory, this could happen with other "products" than linux_kernel, but this is probably one of the few that happen to appear in the cpe string past the actual product field.

To Reproduce Steps to reproduce the behavior:

EMBA installation: default mode
Use the firmware available here: any firmware with a detected Linux kernel will do (sorry I can't share the few I'm working on)
Start EMBA with the following parameters: sudo ./emba -p ./scan-profiles/default-scan.emba -l output/path -f firmwage/image/file
additional steps: wait for analysis to complete, look at reported kernel CVEs
See error

Expected behavior Product name should match the product field of cpe strings, not any other. Unrelated CVEs should not be reported for a given product such as linux_kernel.

Screenshots None

Desktop

OS: dedicated Ubuntu 22.04 VM
EMBA version: current master branch, commit c98898e6 from March 5
Installation method: default with up to date docker image (pulled on March 5)

Priority issue Are you already a [Sponsor]? N

Additional context None

e-m-b-a / emba

Spurious linux_kernel CVEs, cpe string handling. #1080