Guard against bad CPE value

Author: Prabhu Subramanian

setup.py

@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="appthreat-vulnerability-db",
-    version="1.6.1",
+    version="1.6.2",
     author="Team AppThreat",
     author_email="cloud@appthreat.com",
     description="AppThreat's vulnerability database and package search library with a built-in file based storage. CVE, GitHub, npm are the primary sources of vulnerabilities.",

vdb/lib/__init__.py

@@ -9,7 +9,7 @@
 
 # CPE Regex
 CPE_REGEX = re.compile(
-    "cpe:?:[^:]+:[^:]+:(?P<vendor>[^:]+):(?P<package>[^:]+):(?P<version>[^:]+)"
+    "cpe:?:[^:]+:[^:]+:(?P<vendor>[^:]+):(?P<package>[^:]+):(?P<version>[^:]+)?"
 )
 
 
@@ -142,17 +142,37 @@ def __init__(
     ):
         parts = CPE_REGEX.match(cpe_uri)
         self.cpe_uri = cpe_uri
-        self.package = package if package else parts.group("package")
-        self.min_affected_version_including = (
-            min_affected_version_including
-            if min_affected_version_including
-            else parts.group("version")
-        )
-        self.max_affected_version_including = (
-            max_affected_version_including
-            if max_affected_version_including
-            else parts.group("version")
-        )
+        # Occasionally, NVD CPE value could be invalid. We need to guard against this
+        if parts:
+            self.package = package if package else parts.group("package")
+            self.min_affected_version_including = (
+                min_affected_version_including
+                if min_affected_version_including
+                else parts.group("version")
+            )
+            self.max_affected_version_including = (
+                max_affected_version_including
+                if max_affected_version_including
+                else parts.group("version")
+            )
+        else:
+            # Use split to extract the package name in case of bad CPE value
+            package_workaround = ""
+            if cpe_uri:
+                cpe_parts = cpe_uri.split(":")
+                if len(cpe_parts) > 4:
+                    package_workaround = cpe_parts[4]
+            self.package = package if package else package_workaround
+            self.min_affected_version_including = (
+                min_affected_version_including
+                if min_affected_version_including
+                else "*"
+            )
+            self.max_affected_version_including = (
+                max_affected_version_including
+                if max_affected_version_including
+                else "*"
+            )
         self.min_affected_version_excluding = (
             min_affected_version_excluding if min_affected_version_excluding else None
         )