Vulnerabilities and CPE versioning

[andershub4]

Hi! I can see there is some handling regarding vulnerabilities according to SECURITY.md which is fine. I got two questions in this topic:

1. If any vulnerabilities are found in pugixml, will this be reported to any CVE database. So it can be found in eg cve.org? Is it up to the individual developer or the maintainer to report?
2. I'm confused regarding the defined CPE versioning. I can see that the most recent version of pugixml is 1.15. But if I search for pugixml here https://nvd.nist.gov/products/cpe/search, I can't see that the CPE versioning is align with the Releases versioning (see below for a snippet from the search). Can someone help me understand how the different versioning are connected?

cpe:2.3:a:pugixml_project:pugixml:1.8.1:::::::*
pugixml_projectpugixml1.8.1
cpe:2.3:a:pugixml_project:pugixml:1.9:::::::*
pugixml_proj

[zeux]

1. Unsure who'd be responsible for this, hasn't really happened in 10 years
2. Presumably these entries are from some product that uses pugixml but is using pugixml 1.9 (which was released in 2018). I'm not sure where the confusion is here? The format looks to be the same as defined in https://github.com/zeux/pugixml/blob/master/scripts/sbom.cdx.json

[andershub4]

I realize I didn't understood the versioning correctly. I can now see the pugixml versioning is 1.9 -> 1.10 -> 1.11 etc. Before I imagine versioning like this 1.09 -> 1.10 -> 1.11. (So in my world 1.9 was 1.90 and I was confused because 1.90 was not released yet).
Thanks for clarifying!

[zeux]

Ah, yes, the versioning is numerically monotonic for each subfield, similarly to semver https://semver.org/#spec-item-2