There are issues with the current implementation of the cpe2purl strategy.
currently, multiple Configurations are extracted from NVD statements. With the updated logic, only the first Configuration is used to extract the baseCPE information for each vulnerability we import from NVD, using (NVDParser)
cpe2purl mappings are currently being overwritten when a new match is found. This is not a safe overwrite, as the correspondences that we import from Debian Security Tracker are lost. Thus, the updated logic does not overwrite the mappings
getCPEVersions in the VersionRanger was not taking into account of the different ways in which version ranges are reported on NVD. As you can see comparing CVE-2021-25329, CVE-2021-20240 and CVE-2019-10247, the reporting of ranges it is inconsistent. This resulted in incorrect versions to be reported
There are issues with the current implementation of the
cpe2purlstrategy.baseCPEinformation for each vulnerability we import from NVD, using (NVDParser)cpe2purlmappings are currently being overwritten when a new match is found. This is not a safe overwrite, as the correspondences that we import from Debian Security Tracker are lost. Thus, the updated logic does not overwrite the mappingsgetCPEVersionsin theVersionRangerwas not taking into account of the different ways in which version ranges are reported on NVD. As you can see comparing CVE-2021-25329, CVE-2021-20240 and CVE-2019-10247, the reporting of ranges it is inconsistent. This resulted in incorrect versions to be reported