diff --git a/syft/pkg/cataloger/common/cpe/generate.go b/syft/pkg/cataloger/common/cpe/generate.go index a67f7a9eb..ec686cccf 100644 --- a/syft/pkg/cataloger/common/cpe/generate.go +++ b/syft/pkg/cataloger/common/cpe/generate.go @@ -8,12 +8,17 @@ import ( "strings" "github.com/facebookincubator/nvdtools/wfn" + "github.com/scylladb/go-set/strset" "github.com/anchore/syft/internal" "github.com/anchore/syft/syft/cpe" "github.com/anchore/syft/syft/pkg" ) +// knownVendors contains vendor strings that are known to exist in +// the CPE database, so they will be preferred over other candidates: +var knownVendors = strset.New("apache") + func newCPE(product, vendor, version, targetSW string) *wfn.Attributes { c := *(wfn.NewAttributesWithAny()) c.Part = "a" @@ -120,7 +125,16 @@ func candidateVendors(p pkg.Package) []string { // remove known mis vendors.removeByValue(findVendorsToRemove(defaultCandidateRemovals, p.Type, p.Name)...) - return vendors.uniqueValues() + uniqueVendors := vendors.uniqueValues() + + // if any known vendor was detected, pick that one. + for _, vendor := range uniqueVendors { + if knownVendors.Has(vendor) { + return []string{vendor} + } + } + + return uniqueVendors } func candidateProducts(p pkg.Package) []string { diff --git a/syft/pkg/cataloger/common/cpe/generate_test.go b/syft/pkg/cataloger/common/cpe/generate_test.go index e078444f3..2b1f581c0 100644 --- a/syft/pkg/cataloger/common/cpe/generate_test.go +++ b/syft/pkg/cataloger/common/cpe/generate_test.go @@ -279,36 +279,9 @@ func TestGeneratePackageCPEs(t *testing.T) { }, }, expected: []string{ - "cpe:2.3:a:apache-software-foundation:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:apache-software-foundation:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:apache-software-foundation:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:cxf:3.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:apache_software_foundation:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:apache_software_foundation:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:apache_software_foundation:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt-bindings-xml:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt-bindings-xml:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt-bindings-xml:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt-bindings:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt-bindings:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt-bindings:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf-rt:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt_bindings:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt_bindings:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt_bindings:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt_bindings_xml:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt_bindings_xml:cxf:3.3.10:*:*:*:*:*:*:*", - "cpe:2.3:a:cxf_rt_bindings_xml:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*", }, }, { @@ -838,7 +811,7 @@ func TestCandidateVendor(t *testing.T) { Name: "log4j", Type: pkg.JavaPkg, }, - expected: []string{"apache" /* <-- known good names | default guess --> */, "log4j"}, + expected: []string{"apache"}, }, }