feat: prefer known CPE vendors over other candidates (#1294)

* feat: prefer known CPE vendors over other candidates All ASF projects will be under the `apache` vendor in CPE, and indeed this is already one of the candidates, but the logic for selecting the 'most specific' CPE string would select for example `apache_software_foundation` or `commons-text`. This is not necessarily 'wrong' in the CPE candidate selection logic: there is no way to reliably determine the right candidate. I think it makes sense to use specific data around the vendor candidate generation, somewhat similar to 'defaultCandidateAdditions'. Unfortunately there are still a few CVE's for old (pre-5.x, long unsupported) tomcat versions that are actually tagged with `apache_software_foundation`, but I'm not sure those are worth spending time on. Signed-off-by: Arnout Engelen <arnout@bzzt.net> * chore: swap out array of vendors for set data structure Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Arnout Engelen <arnout@bzzt.net> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2025-11-17 16:33:21 +01:00 · 2023-01-12 20:16:53 +01:00 · 2023-01-12 20:16:53 +01:00 · a864dc9505
commit a864dc9505
parent 44e8ae2577
2 changed files with 16 additions and 29 deletions
--- a/syft/pkg/cataloger/common/cpe/generate.go
+++ b/syft/pkg/cataloger/common/cpe/generate.go
@ -8,12 +8,17 @@ import (
 	"strings"

 	"github.com/facebookincubator/nvdtools/wfn"
+	"github.com/scylladb/go-set/strset"

 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/syft/cpe"
 	"github.com/anchore/syft/syft/pkg"
 )

+// knownVendors contains vendor strings that are known to exist in
+// the CPE database, so they will be preferred over other candidates:
+var knownVendors = strset.New("apache")
+
 func newCPE(product, vendor, version, targetSW string) *wfn.Attributes {
 	c := *(wfn.NewAttributesWithAny())
 	c.Part = "a"
@ -120,7 +125,16 @@ func candidateVendors(p pkg.Package) []string {
 	// remove known mis
 	vendors.removeByValue(findVendorsToRemove(defaultCandidateRemovals, p.Type, p.Name)...)

-	return vendors.uniqueValues()
+	uniqueVendors := vendors.uniqueValues()
+
+	// if any known vendor was detected, pick that one.
+	for _, vendor := range uniqueVendors {
+		if knownVendors.Has(vendor) {
+			return []string{vendor}
+		}
+	}
+
+	return uniqueVendors
 }

 func candidateProducts(p pkg.Package) []string {
--- a/syft/pkg/cataloger/common/cpe/generate_test.go
+++ b/syft/pkg/cataloger/common/cpe/generate_test.go
@ -279,36 +279,9 @@ func TestGeneratePackageCPEs(t *testing.T) {
 				},
 			},
 			expected: []string{
-				"cpe:2.3:a:apache-software-foundation:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:apache-software-foundation:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:apache-software-foundation:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
 				"cpe:2.3:a:apache:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
 				"cpe:2.3:a:apache:cxf:3.3.10:*:*:*:*:*:*:*",
 				"cpe:2.3:a:apache:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:apache_software_foundation:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:apache_software_foundation:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:apache_software_foundation:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt-bindings-xml:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt-bindings-xml:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt-bindings-xml:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt-bindings:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt-bindings:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt-bindings:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf-rt:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt_bindings:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt_bindings:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt_bindings:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt_bindings_xml:cxf-rt-bindings-xml:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt_bindings_xml:cxf:3.3.10:*:*:*:*:*:*:*",
-				"cpe:2.3:a:cxf_rt_bindings_xml:cxf_rt_bindings_xml:3.3.10:*:*:*:*:*:*:*",
 			},
 		},
 		{
@ -838,7 +811,7 @@ func TestCandidateVendor(t *testing.T) {
 				Name: "log4j",
 				Type: pkg.JavaPkg,
 			},
-			expected: []string{"apache" /* <-- known good names | default guess --> */, "log4j"},
+			expected: []string{"apache"},
 		},
 	}