I was scanning a host which has installed cpe:/a:7-zip:7-zip:9.20 , this is recognized by greenbone.
The scanner found 3 (as far as I see) CVEs which afflicts this version of 7-zip, only one though is linked under the cpe page of  in the web interface.
I checked the nvd.nist.gov page and the CVEs there are linked correctly. I.e., in the CVE page, in the “Known Affected Software” the cpe is present, though in a wildcard syntax. I don’t know if this is the cause of the problem.
To be more specific:
CVE-2016-2335 (this one is linked correctly in gse /cve/CVE-2016-2335, exact match is )
CVE-2018-10115 (this shows only cpe:/a:7-zip:7-zip:18.03 as vulnerable product, but on /vuln/detail/CVE-2018-10115 there’s a pattern which matches all versions up to 18.03, correctly so)
CVE-2018-10172 (this shows only cpe:/a:7-zip:7-zip:18.01::~~~windows~~. My 9.20 7zip version is not matched as a consequence. On /vuln/detail/CVE-2018-10172 you can see that there’s a long list of cpe if you click on “Show matching CPEs”, 18.01 is just the latest.
So, I don’t know, the problem seems to be that gsm is only grabbing the last entry in a list of cpe defined by wildcard?
Hello thomasorhym and welcome to the Greenbone community!
I don’t have time to check these cases in depth right now, but we do have a few issues with CPE-CVE matching currently. Some of them are due to incorrect data on the NVD side, but the problem with the wildcards looks to be on our side.
We are currently investigating how to proceed in this case, so unfortunately I do not have a solution for you at the moment.