Open OrangeDog opened 4 months ago
I wonder if this bug is now located in https://github.com/stevespringett/CPE-Parser
I'll have to do some testing.
Just to note that example CVE is actually fixed in 2.3.12.Final, but I don't think any data sources have been updated to reflect that (they hadn't when I filed this). Testing with 2.3.11 may be a more reliable reproduction.
Describe the bug The value of
-
for a CPE field is supposed to mean "NA" but it is not apparent how that should be handled differently to "ANY".I have noticed it being used for the version in CVE-2024-1459, as
cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*
, causing that to not be detected at all.Version of dependency-check used Maven plugin 9.0.9
To Reproduce
Expected behavior I guess this should be a match, as the CVE description seems to indicate it applies to all versions (currently).