CPE 2.3 BUG

[vserecun]

Hi

I found out the bug during parsing of CPE2.3. You can find the same strings in NVD or circl CVE-2014-7025

>>> cpe.CPE("cpe:2.3:a:disney:where\'s_my_water\?_free:1.9.1:*:*:*:*:android:*:*")
Traceback (most recent call last):
  File "<input>", line 1, in <module>
  File "./venv/python3.8/site-packages/cpe/cpe.py", line 311, in __new__
    raise NotImplementedError(errmsg)
NotImplementedError: Version of CPE not implemented

The same error occurs for CPE strings:

cpe:2.3:a:disney:where\\'s_my_perry?_free:1.5.1:*:*:*:*:android:*:*
cpe:2.3:a:disney:where\\'s_my_water?_free:1.9.1:*:*:*:*:android:*:*
cpe:2.3:a:gratta_\\&_vinci?_project:gratta_\\&_vinci?:0.21.13167.93474:*:*:*:*:android:*:*
cpe:2.3:a:whoisit:who-is-it?_lite_name_caller_time_limited_free:1:*:*:*:*:android:*:*

Problem is probably with special characters '?& in product part of CPE string.

[nilp0inter]

I think you are right, I tracked it down to cpe/comp/cpecomp2_3_fs.py. Unfortunately I have no time to expend in this. Feel free to send a pull request if you fix it.

[ocervell]

Any updates 4 years after ?

The following CPE fails to parse for instance:

cpe:2.3:a:ssh:ssh:8.4p1-5+deb11u2:*:*:*:*:*:*:*