497 stable sorted CPE array (JSON and SPDX) (#522)

* add small sorting change to our specificity Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2025-11-17 08:23:15 +01:00 · 2021-10-01 15:31:17 -04:00 · 2021-10-01 15:31:17 -04:00 · 5e4b668e5a
commit 5e4b668e5a
parent 6480f06173
3 changed files with 30 additions and 3 deletions
--- a/cmd/packages.go
+++ b/cmd/packages.go
@ -35,7 +35,7 @@ const (

  Supports the following image sources:
    {{.appName}} {{.command}} yourrepo/yourimage:tag     defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.
-    {{.appName}} {{.command}} path/to/a/file/or/dir      a Docker tar, OCI tar, OCI directory, or generic filesystem directory 
+    {{.appName}} {{.command}} path/to/a/file/or/dir      a Docker tar, OCI tar, OCI directory, or generic filesystem directory

  You can also explicitly specify the scheme to use:
    {{.appName}} {{.command}} docker:yourrepo/yourimage:tag          explicitly use the Docker daemon
--- a/syft/pkg/cataloger/common/cpe/sort_by_specificity.go
+++ b/syft/pkg/cataloger/common/cpe/sort_by_specificity.go
@ -18,10 +18,18 @@ func (c BySpecificity) Less(i, j int) bool {
 	iScore := weightedCountForSpecifiedFields(c[i])
 	jScore := weightedCountForSpecifiedFields(c[j])

-	if iScore == jScore {
+	// check weighted sort first
+	if iScore != jScore {
+		return iScore > jScore
+	}
+
+	// sort longer fields to top
+	if countFieldLength(c[i]) != countFieldLength(c[j]) {
 		return countFieldLength(c[i]) > countFieldLength(c[j])
 	}
-	return iScore > jScore
+
+	// if score and length are equal then text sort
+	return c[i].BindToFmtString() < c[j].BindToFmtString()
 }

 func countFieldLength(cpe wfn.Attributes) int {
--- a/syft/pkg/cataloger/common/cpe/sort_by_specificity_test.go
+++ b/syft/pkg/cataloger/common/cpe/sort_by_specificity_test.go
@ -80,6 +80,25 @@ func TestCPESpecificity(t *testing.T) {
 				mustCPE("cpe:2.3:a:1:*:333:*:*:*:*:*:*:*"),
 			},
 		},
+		{
+			name: "sort by mix of field length, specificity, dash",
+			input: []pkg.CPE{
+				mustCPE("cpe:2.3:a:alpine:alpine_keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine_keys:alpine_keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine-keys:alpine_keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine:alpine-keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine-keys:alpine-keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine_keys:alpine-keys:2.3-r1:*:*:*:*:*:*:*"),
+			},
+			expected: []pkg.CPE{
+				mustCPE("cpe:2.3:a:alpine-keys:alpine-keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine-keys:alpine_keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine_keys:alpine-keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine_keys:alpine_keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine:alpine-keys:2.3-r1:*:*:*:*:*:*:*"),
+				mustCPE("cpe:2.3:a:alpine:alpine_keys:2.3-r1:*:*:*:*:*:*:*"),
+			},
+		},
 	}

 	for _, test := range tests {