Handling of - (NA) in CPE

[OrangeDog]

Describe the bug The value of - for a CPE field is supposed to mean "NA" but it is not apparent how that should be handled differently to "ANY".

I have noticed it being used for the version in CVE-2024-1459, as cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*, causing that to not be detected at all.

Version of dependency-check used Maven plugin 9.0.9

To Reproduce

<dependency>
  <groupId>io.undertow</groupId>
  <artifactId>undertow-core</artifactId>
  <version>2.3.12.Final</version>
</dependency>

Expected behavior I guess this should be a match, as the CVE description seems to indicate it applies to all versions (currently).

[jeremylong]

I wonder if this bug is now located in https://github.com/stevespringett/CPE-Parser

I'll have to do some testing.

[OrangeDog]

Just to note that example CVE is actually fixed in 2.3.12.Final, but I don't think any data sources have been updated to reflect that (they hadn't when I filed this). Testing with 2.3.11 may be a more reliable reproduction.