5.1.0 accepts "version" wildcarding

[ElectricNroff]

Some data providers use * wildcarding within this field:

cve-schema/schema/CVE_Record_Format.json

Lines 298 to 300 in 6af5c9c

	"version": {
	"description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
	"$ref": "#/definitions/version"

About 100 to 200 CVE Records are affected, beyond those affected by the #323 issue. It's possible that not all strings defined by:

cve-schema/schema/CVE_Record_Format.json

Lines 81 to 86 in 6af5c9c

	"version": {
	"description": "A single version of a product, as expressed in its own version numbering scheme.",
	"type": "string",
	"minLength": 1,
	"maxLength": 1024
	},

should be accepted, and that there should instead be a pattern that excludes * in some contexts.

This apparently occurs most often for the PHP CNA, e.g.,

CVE-2024-5585
...
            {
              "lessThan": "8.1.29",
              "status": "affected",
              "version": "8.1.*",
              "versionType": "semver"
            },

CVE-2023-3247
...
            {
              "lessThan": "8.0.29",
              "status": "affected",
              "version": "8.0.*",
              "versionType": "semver"
            },

but can occur for others:

GitHub_M
CVE-2020-26269
...
            {
              "status": "affected",
              "version": ".4.0rc*"
            }

(typo of 2.4.0rc*)

icscert
CVE-2023-1934
...
            {
              "status": "affected",
              "version": "2.*"
            }

schneider
CVE-2022-0222
...
            {
              "version": "BMXP34*",
              "status": "affected",
              "lessThan": "V3.40",
              "versionType": "custom"
            }

There are some instances that were carried over from JSON 4 data, e.g.,

palo_alto
CVE-2022-0027
...
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "Cortex XSOAR",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "affected",
              "version": "6.1.*"
            },
...
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@paloaltonetworks.com",
          "DATE_PUBLIC": "2022-05-11T16:00:00.000Z",
          "ID": "CVE-2022-0027",
...
                          {
                            "version_affected": "=",
                            "version_name": "6.1",
                            "version_value": "6.1.*"
                          },

(Also, there are many instances where "version" includes * only because of the ...[truncated*] that was added by the JSON 4 to 5 upconversion, e.g., https://github.com/CVEProject/cvelistV5/blob/63f427c6747499216ccd89d92d1cd7306ab65994/cves/2020/11xxx/CVE-2020-11309.json#L11 and more than 200 others from Qualcomm.)

Finally, it may be legitimate to have a * in "version" if versionType cpe comes into active use, e.g.,

cisa-cg
CVE-2023-45197
...
            {
              "lessThan": "cpe:2.3:a:adminerevo:adminerevo:4.8.3:*:*:*:*:*:*:*",
              "status": "affected",
              "version": "cpe:2.3:a:adminerevo:adminerevo:0:*:*:*:*:*:*:*",
              "versionType": "cpe"
            }