How to map the CPE match to the CVE 5.0 versions array?

[ammerzon]

This is a follow-up to my previous question @chandanbn answered. Considering the fields of a CPE match, namely

• versionStartExcluding
• versionStartIncluding
• versionEndExcluding
• versionEndIncluding
• criteria (e.g. cpe:2.3:a:rubyonrails:rails:0.9.1:*:*:*:*:*:*:*)

How can this information be mapped to the CVE 5.0 format that has the fields

• version
• lessThan
• lessThanOrEqual

Especially when a configuration object has an AND operator like the following JSON from CVE-2021-40423:

"configurations":[
  {
    "operator":"AND",
    "nodes":[
      {
        "operator":"OR",
        "negate":false,
        "cpeMatch":[
          {
            "vulnerable":true,
            "criteria":"cpe:2.3:o:reolink:rlc-410w_firmware:3.0.0.136_20121102:*:*:*:*:*:*:*",
            "matchCriteriaId":"2C79EEB2-5A28-48DE-95AB-197DAD087B06"
          }
        ]
      },
      {
        "operator":"OR",
        "negate":false,
        "cpeMatch":[
          {
            "vulnerable":false,
            "criteria":"cpe:2.3:h:reolink:rlc-410w:-:*:*:*:*:*:*:*",
            "matchCriteriaId":"260FB388-A221-4900-92FB-FAB90529647D"
          }
        ]
      }
    ]
  }
]

[zmanion]

I just noticed this question, you may be interested in CVEProject/quality-workgroup#12, the result of which is that the CVE Format will be updated to support CPE Match Criteria. Part of this will involve trying to have CVE affected and CPE configurations not conflict. I'd say "agree" but I'm not yet sure complete agreement (or the exact same information) will be possible in both elements.

[ammerzon]

Thank you, @zmanion, for the reference. I'll check it out.