User Story: The CPE is too broad #10
Description
As a Triager performing vulnerability triage and prioritization, I struggle with false alarms from inaccurate CVE data because broad “up to version X” ranges cause unnecessary panic and wasted remediation effort when a calm, informed check would show the issue doesn’t apply.
Here's an example: CVE-2022-22965 applies to Spring Framework related technologies using JDK 9 and above. You may have an older application using an older version of Spring Framework, which would not be using the newer JDK. Since the CPE indicates the vulnerability applies to all versions below a certain number, many older applications would get this CVE. Yet practically speaking, they would not be affected. Had the CPE been more accurate (or indicated that the affected versions must also be versions that support the later JDK versions) we'd save triage effort.