Include full CPE configuration in vulnerability statement

[MagielBruntink]

Some CVEs have multiple CPE configurations, linking the CVE to several affected products and versions. An example CVE is https://nvd.nist.gov/vuln/detail/CVE-2022-22970
For matching purposes it is desirable to have access to the full CPE configurations.

Currently, the vulnerability producer only extracts and stores the first configuration. This following code implements this policy:

vulnerability-producer/src/main/java/eu/fasten/vulnerabilityproducer/utils/parsers/NVDParser.java

Line 213 in eab1a55

// grab only the first configuration

It is probably desirable to have a new data field in the (JSON) vulnerability statement, next to the existing base_cpe one. It could be called full_cpe or cpe_config or similar. If possible, the new field should contain a proper JSON object that describes the entire CPE configuration.

Tasks:

• Extend Vulnerability data object.
• Implement extracting of all CPE configs and putting them in the data object.
• Validate functionality of down-stream plugins (eg. https://github.com/fasten-project/fasten/tree/develop/analyzer/vulnerability-statements-processor), which may need changes to their expected data format if a new field is added.