oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-02-12 10:36:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: CPE detection for APK libavif to use aomedia vendor (#4597)

Browse Source 
NVD uses "aomedia" as the vendor for libavif CVEs. This change adds
libavif to the APK package CPE candidate additions with "aomedia" as
an additional vendor, enabling Syft/Grype to match CVEs like
CVE-2025-48174 and CVE-2025-48175.

Signed-off-by: Peter Bücker <peter.buecker@gmail.com>
This commit is contained in:
Peter Bücker 2026-02-05 10:11:44 +01:00 committed by GitHub
parent 540c08a41b
commit 6755377554
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
syft/pkg/cataloger/internal/cpegenerate/apk_test.go
View File

@ -97,6 +97,15 @@ func Test_candidateVendorsForAPK(t *testing.T) {
}, },
expected: []string{"rake", "ruby-lang"}, expected: []string{"rake", "ruby-lang"},
}, },
{
name: "libavif",
pkg: pkg.Package{
Metadata: pkg.ApkDBEntry{
Package: "libavif",
},
},
expected: []string{"aomedia", "libavif"},
},
} }
for _, test := range tests { for _, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {

5
syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go
View File

@ -410,6 +410,11 @@ var defaultCandidateAdditions = buildCandidateLookup(
candidateKey{PkgName: "git"}, candidateKey{PkgName: "git"},
candidateAddition{AdditionalVendors: []string{"git-scm"}}, candidateAddition{AdditionalVendors: []string{"git-scm"}},
}, },
{
pkg.ApkPkg,
candidateKey{PkgName: "libavif"},
candidateAddition{AdditionalVendors: []string{"aomedia"}},
},
{ {
pkg.ApkPkg, pkg.ApkPkg,
candidateKey{PkgName: "bind"}, candidateKey{PkgName: "bind"},