There are two Tomcat vulnerabilities in NVD that don't have a specific version, i.e. CVE-2016-5425 and CVE-2016-6325. As a result, they need to be – sooner or later – suppressed. According to
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5425 and
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6325 , they both use a slightly different CPE for Tomcat. The first uses “cpe:/a:apache:tomcat” (no version specified at all), while the second uses “cpe:/a:apache:tomcat:-” (version is “-”).
When I try to suppress the latter (i.e., CVE-2016-6325), it suppresses matching the identifier, so both vulnerabilities disappear:
<suppress>
<cpe>cpe:/a:apache:tomcat</cpe>
<cve>CVE-2016-6325</cve>
</suppress>
Of course, I want to suppress both, but I don't want to do this way :)
When I use <cpe>cpe:/a:apache:tomcat:-</cpe> instead, it works as expected.
Is this a bug, or a rough edge?
Regards,
Vít Šesták 'v6ak'