fix(fp): correct hosted suppression CPE matching for regexes which previously had trailing colons

[chadlwilson]

Description of Change

Fixes yet another regression from #8522 after the regex conversion - regexes which already had a trailing : in their rule were failing to match some CPE rules from NVD because the new optional suffix was added regardless; requiring it to end in ::.* to match (two colons), which would no longer match anything.

Sorry @nhumblot 😅

Related issues

• relates to fix(fp): convert hosted/generated suppressions to conservative regex prefix matchers #8522
• relates to [FP]: CVE-2026-42154 matched against Micrometer instead of Prometheus #8497

Have test cases been added to cover the new functionality?

no

[chadlwilson]

I don't fully understand how these suppressions were working before for some of the vulns to be honest. An equivalent suppression for different libs using non-regex was failing to match for some CVEs when it had a trailing : after normalisation of the CPE 2.2 URI.

Possibly some quirk in how VulnerableSoftwareIdentifiers are matched in the code and whether they end up with the version in the CPEIdentifier when matched (or not). Perhaps it depends on whether the version in use by the user actually has a CPE entry defined for that specific version in NVD or not, or it's just matching based on a * and ODC's logic.

Probably need to debug or look at the raw DB data coming through for the vulns....