fix: NVD cpe parser doesn't escape `\:`'s in product and vendor name

[fthdrmzzz]

Description

Hello, I think I have noticed a small bug

In nvd_source.py the product data is splitted by :.

 def parse_node(self, node: dict[str, list[dict[str, str]]]) -> list[dict[str, str]]:
        affects_list = []
        if "cpe_match" in node:
            vulnerable_matches = (m for m in node["cpe_match"] if m["vulnerable"])
            for cpe_match in vulnerable_matches:
                cpe_split = cpe_match["cpe23Uri"].split(":") # HERE!!!
                affects = {
                    "vendor": cpe_split[3],
                    "product": cpe_split[4],
                    "version": cpe_split[5],
                }

However, in some cases there is : in the name of the vendor or the product and NVD escapes these :'s by putting a backslash in front. Example here:

This results in recording the product as \ in the database. To see it, I have made a simple sql query to the mysql database stored in ~/.cache/cve-bin-tool/cve.db to check and see it:

$ select * from cve_range where product like "\" LIMIT 2;
CVE-2007-4829 | archive\ | \ | tar_project|||1.36||NVD

I don't know what are the effects of this bug on tool's behavior. Maybe it might miss some cve's on binaries that it was supposed to hit.

Please assign me for this.

[fthdrmzzz]

assign it to me please

[terriko]

good finding, thanks for working on it!

[joydeep049]

Hello @fthdrmzzz
Since you filed the issue and want to work on it, It will most probably be assigned to you. So dw about that.
You can focus on solving the issue
Thanx