fix: ignore non-vulnerable CPEs from NVD CVEs

[gluesmith2021]

fixes #3136 (at least partially: it excludes the "longer term potential feature" part)

As described in above issue, NVD source provides a list of affected CPE for a given CVE. This list may include non-vulnerable products such as OSes an affected product runs on, e.g. application v3.4 is vulnerable when it runs on Windows. The latter, although being mentioned in a CPE for this CVE, is not vulnerable with regard to that CVE.

Whether a CPE is vulnerable or not is provided in a vulnerable attribute that can be used during data ingestion. See Response configuration JSON sample. This PR ignores non-vulnerable CPEs when building/refreshing the CVE DB

Limitations

• On a DB refresh, vulnerable will be used, but it won't remove existing entries about non-vulnerable products (ingested from actual cve-bin-tool version). There is no way to figure it out from the current DB.
• It does not address the "missing relations" part of the issue (the "longer term potential feature"), as non-vulnerable products that would take part in such relations are now ignored.

Note: I could not find unit tests related to NVD source parsing to build upon. I'll welcome suggestions, if any, regarding warranted tests for this PR.

[terriko]

Thanks for working on this! I've approved the tests to run.

Yeah, testing this one is a pain because of the way we're currently querying the database (which used to work a lot better back when the code was written, but the amount of use the NVD sees now is very different). I think ideally we'd swap to loading in a small set of JSON files for each test and using a test db copy so we could handle this sort of test that changes the DB better; I was hoping once we got the mirror code handling arbitrary JSON loading this would be easy, but it's not quite there yet. i guess the easiest thing to do is add the test for this one in a separate PR later.

[codecov-commenter]

Codecov Report

Merging #3245 (3d3a159) into main (06b55f7) will decrease coverage by 0.12%.
Report is 20 commits behind head on main.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##             main    #3245      +/-   ##
==========================================
- Coverage   81.01%   80.90%   -0.12%     
==========================================
  Files         716      722       +6     
  Lines       11163    11211      +48     
  Branches     1497     1504       +7     
==========================================
+ Hits         9044     9070      +26     
- Misses       1719     1734      +15     
- Partials      400      407       +7     

Flag	Coverage Δ
longtests	75.58% <0.00%> (-4.91%)	⬇️
win-longtests	78.83% <50.00%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
cve_bin_tool/data_sources/nvd_source.py	55.95% <50.00%> (-0.05%)	⬇️

... and 16 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[terriko]

Okay, I think it makes most sense to get this merged now, and we can build in tests and more as we figure out the best ways to do that. Thank you again for your work on finding and fixing this one!