Fix: Allow missing cpeMatch in CVE configurations

timopollmeier · bjoernricks · commit e26b01666434 · 2025-03-10T09:03:55.000+01:00
The CVEs feed can contain configurations without a cpeMatch field if a
CVE only affects products for which no CPE has been assigned.
diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c
@@ -3862,10 +3862,15 @@ get_cve_configuration_node_fields (cJSON* node_item,
 
   *cpe_matches_array = cJSON_GetObjectItemCaseSensitive (node_item,
                                                          "cpeMatch");
-  if (!cJSON_IsArray (*cpe_matches_array))
+  if (*cpe_matches_array == NULL)
     {
-      g_warning ("%s: cpeMatch missing or not an array for %s.",
-                  __func__, cve_id);
+      g_debug ("%s: cpeMatch missing for %s.",
+               __func__, cve_id);
+    }
+  else if (!cJSON_IsArray (*cpe_matches_array))
+    {
+      g_warning ("%s: cpeMatch not an array for %s.",
+                 __func__, cve_id);
       return -1;
     }
 
