Instead of asterisk(*), version number found in cpes field for CVE-2024-34750

[RamvigneshPasupathy]

🐛 Summary

Thanks for the swift response team on #94. Raising this one as a follow up issue from #94

Clarify the following plz -

I can see cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* values in the "cpes" field changed to cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* like values in this fix commit - https://github.com/cisagov/vulnrichment/commit/e938a179bdd9b1cf581b52ed1fae843f4f6b0d44#diff-2096d6367b2e2d315cc26b29d81287e5b29e07c0221f7b9938d51a96a26d4145

I have not seen NVD CVEs with version in CPEs when the affected config holds a range of versions. Similarly, should we stick here to cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* for "cpes" field values as all three affected the cases have version ranges? 🤔