fix: parse CPE names correctly #4041 (#4063)

Signed-off-by: fthdrmzzz <[email protected]> Co-authored-by: Terri Oda <[email protected]>
intel · Apr 25, 2024 · daea8e4 · daea8e4
1 parent ec67e43
commit daea8e4
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/cve_bin_tool/data_sources/nvd_source.py b/cve_bin_tool/data_sources/nvd_source.py
@@ -183,7 +183,8 @@ def parse_node(self, node: dict[str, list[dict[str, str]]]) -> list[dict[str, st
         if "cpe_match" in node:
             vulnerable_matches = (m for m in node["cpe_match"] if m["vulnerable"])
             for cpe_match in vulnerable_matches:
-                cpe_split = cpe_match["cpe23Uri"].split(":")
+                # split on `:` only if it's not escaped
+                cpe_split = re.split(r"(?<!\\):", cpe_match["cpe23Uri"])
                 affects = {
                     "vendor": cpe_split[3],
                     "product": cpe_split[4],
@@ -290,7 +291,8 @@ def parse_node_api2(
         if "cpeMatch" in node:
             vulnerable_matches = (m for m in node["cpeMatch"] if m["vulnerable"])
             for cpe_match in vulnerable_matches:
-                cpe_split = cpe_match["criteria"].split(":")
+                # split on `:` only if it's not escaped
+                cpe_split = re.split(r"(?<!\\):", cpe_match["criteria"])
                 affects = {
                     "vendor": cpe_split[3],
                     "product": cpe_split[4],