fix: suppress some known incorrect vendor candidates for npm CPEs (#1659)

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2025-11-17 16:33:21 +01:00 · 2023-03-07 15:18:44 +00:00 · 2023-03-07 15:18:44 +00:00 · 096d2b7bff
commit 096d2b7bff
parent 7cfdffab5f
1 changed files with 21 additions and 0 deletions
--- a/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
+++ b/syft/pkg/cataloger/common/cpe/candidate_by_package_type.go
@ -350,6 +350,27 @@ var defaultCandidateRemovals = buildCandidateRemovalLookup(
 			candidateKey{PkgName: "redis"},
 			candidateRemovals{VendorsToRemove: []string{"redis"}},
 		},
+		// NPM packages
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "redis"},
+			candidateRemovals{VendorsToRemove: []string{"redis"}},
+		},
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "php"},
+			candidateRemovals{VendorsToRemove: []string{"php"}},
+		},
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "delegate"},
+			candidateRemovals{VendorsToRemove: []string{"delegate"}},
+		},
+		{
+			pkg.NpmPkg,
+			candidateKey{PkgName: "docker"},
+			candidateRemovals{VendorsToRemove: []string{"docker"}},
+		},
 	})

 // buildCandidateLookup is a convenience function for creating the defaultCandidateAdditions set