Some CVEs have multiple CPE configurations, linking the CVE to several affected products and versions. An example CVE is https://nvd.nist.gov/vuln/detail/CVE-2022-22970
For matching purposes it is desirable to have access to the full CPE configurations.
It is probably desirable to have a new data field in the (JSON) vulnerability statement, next to the existing base_cpe one. It could be called full_cpe or cpe_config or similar. If possible, the new field should contain a proper JSON object that describes the entire CPE configuration.
Tasks:
[ ] Extend Vulnerability data object.
[ ] Implement extracting of all CPE configs and putting them in the data object.
Some CVEs have multiple CPE configurations, linking the CVE to several affected products and versions. An example CVE is https://nvd.nist.gov/vuln/detail/CVE-2022-22970 For matching purposes it is desirable to have access to the full CPE configurations.
Currently, the vulnerability producer only extracts and stores the first configuration. This following code implements this policy: https://github.com/fasten-project/vulnerability-producer/blob/eab1a553ab0a970b042328bab460cb06c5dd9111/src/main/java/eu/fasten/vulnerabilityproducer/utils/parsers/NVDParser.java#L213
It is probably desirable to have a new data field in the (JSON) vulnerability statement, next to the existing
base_cpeone. It could be calledfull_cpeorcpe_configor similar. If possible, the new field should contain a proper JSON object that describes the entire CPE configuration.Tasks: