Some CPEs ending with `:*:*:*:*:*:*:*:*` are missing

[huanceng]

Firstly, thank you for your great job!

Recently, I find that some CPEs ending with :*:*:*:*:*:*:*:* are missing, for example, cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:* is not listed in this yaml. And it's not an isolated case.

[scanossmining]

Hi @huanceng . The reason this CPE and other CPEs of the same format are not included in our dataset is that they also are not reported by NVD as CPEs. Our source of CPE mining is the NVD API, so if a CPE is not in there, we will also not include it. You can query the NVD API yourself, using this url and you will see that cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:* is not included in the results. If you want to map the "any version" CPE of a product, I suggest you use the - in the version field of the CPE. So for this product, the CPE will be cpe:2.3:a:artifex:ghostscript:-:*:*:*:*:*:*:*

[huanceng]

I got the CPE cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:* from this url. It seems NVD itself uses the unreported CPE.

[scanossmining]

That is not a CPE, that is a Match Criteria string. According to the CPE API documentation: CPE Match Criteria comes in two forms: CPE Match Strings and CPE Match String Ranges. Both are abstract concepts that are then correlated to CPE URIs in the Official CPE Dictionary. Unlike a CPE Name, match strings and match string ranges do not require a value in the part, vendor, product, or version components. The CVE API returns CPE Match Criteria within the configurations object.

[huanceng]

@scanossmining thank you for your explanation.