CVE-scan seems to not be able to handle “Running on/with” constraint

[FairFight24]

Expected behavior

CVE-2015-8960 is showing up when CVE-scanning, for a lot of scans.
I would expect CVE-2015-8960 not to show up, when the only CPE matching CPE is cpe:/a:ietf:transport_layer_security:1.2.

Actual behavior

The CVE shows up, even though there is not any other matching CPEs.
It seems like the CPE scanner does not honor “Running on/with” constraints.
https://nvd.nist.gov/vuln/detail/CVE-2015-8960

Steps to reproduce

1. Start a scan of a target that uses TLS 1.2
2. After the scan is finished, start a CVE-scan
3. The results should now show CVE-2015-8960 as being present, even though it is not running with any of the other mentioned CPEs.

GVM versions

gsa:
22.09.0

gvm:
23.2.0

openvas-scanner:
23.0.1

gvm-libs:
22.8.0

Environment

Operating system:
Linux localhost 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64 GNU/Linux

Installation method / source:
source installation

[bigahuna]

Same here, there are lots of false alarms for the 9 year old CVE-2015-8960 on up to date Rocky9 and Debian 12 machines.

[d1nuc0m]

Still relevant with Greenbone Community Edition 23.3.0 on Kali, it reports CVE-2015-8960 on Debian 12 hosts