ci: fix FP ops workflow to generate CPE regex for optional suffix matches

[chadlwilson]

Description of Change

As changed already for the existing suppressions in #8522; converts the workflow to generate regexes for CPE matches, to reduce false negatives due to matching only partial CPE product fields.

The previous strategy with trailing : doesn't work, because current ODC prefix matches will fail to match any CPE identifiers that use "up to/starts with" type constraints and thus typically have no values in version/target_sw etc etc fields. In CPE 2.2 URIs these get truncated, so naive string prefix matches became indeterminate.

I'll introduce support to do stricter CPE part matches in a PR, but we won't be able to use that for hosted suppressions unless we make some breaking change/force update at some point, so need to keep using regex for now.

Related issues

• relates to fix(fp): convert hosted/generated suppressions to conservative regex prefix matchers #8522

Have test cases been added to cover the new functionality?

no

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the “false-positive-ops” GitHub Actions workflow to generate regex-based CPE suppression entries instead of fixed CPE prefixes, improving matching flexibility for false positive suppression comments.

Changes:

• Refactors CPE parsing into vendor/product extraction and builds a regex CPE matcher.
• Updates suppression comment XML to mark the CPE element as regex="true".
• Removes a debug console.log(cpe).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jeremylong]

lgtm