From 6755377554b81879a9117abc1e006fd74177a3c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20B=C3=BCcker?= Date: Thu, 5 Feb 2026 10:11:44 +0100 Subject: [PATCH] fix: CPE detection for APK libavif to use aomedia vendor (#4597) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NVD uses "aomedia" as the vendor for libavif CVEs. This change adds libavif to the APK package CPE candidate additions with "aomedia" as an additional vendor, enabling Syft/Grype to match CVEs like CVE-2025-48174 and CVE-2025-48175. Signed-off-by: Peter Bücker --- syft/pkg/cataloger/internal/cpegenerate/apk_test.go | 9 +++++++++ .../internal/cpegenerate/candidate_by_package_type.go | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/syft/pkg/cataloger/internal/cpegenerate/apk_test.go b/syft/pkg/cataloger/internal/cpegenerate/apk_test.go index e4c034ff6..995d4311b 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/apk_test.go +++ b/syft/pkg/cataloger/internal/cpegenerate/apk_test.go @@ -97,6 +97,15 @@ func Test_candidateVendorsForAPK(t *testing.T) { }, expected: []string{"rake", "ruby-lang"}, }, + { + name: "libavif", + pkg: pkg.Package{ + Metadata: pkg.ApkDBEntry{ + Package: "libavif", + }, + }, + expected: []string{"aomedia", "libavif"}, + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { diff --git a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go index 347bd99b3..1b363c656 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go +++ b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go @@ -410,6 +410,11 @@ var defaultCandidateAdditions = buildCandidateLookup( candidateKey{PkgName: "git"}, candidateAddition{AdditionalVendors: []string{"git-scm"}}, }, + { + pkg.ApkPkg, + candidateKey{PkgName: "libavif"}, + candidateAddition{AdditionalVendors: []string{"aomedia"}}, + }, { pkg.ApkPkg, candidateKey{PkgName: "bind"},