fix: Remove three Rust crate false positive CPE matches (#3967)

Signed-off-by: John Vandenberg <jayvdb@gmail.com>
2026-02-12 02:26:42 +01:00 · 2025-06-06 16:29:06 +08:00 · 2025-06-06 16:29:06 +08:00 · bc1cbde4f7
commit bc1cbde4f7
parent 868a6a7584
1 changed files with 20 additions and 0 deletions
--- a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go
@ -630,14 +630,34 @@ var defaultCandidateRemovals = buildCandidateRemovalLookup(
 			candidateRemovals{ProductsToRemove: []string{"grpc"}},
 		},
 		// Rust packages
+		{
+			pkg.RustPkg,
+			candidateKey{PkgName: "hyper"},
+			// Avoid matching CVE-2024-23741
+			candidateRemovals{VendorsToRemove: []string{"vercel"}},
+		},
 		{
 			pkg.RustPkg,
 			candidateKey{PkgName: "opentelemetry"},
+			// Avoid matching CVE-2023-45142
 			candidateRemovals{ProductsToRemove: []string{"opentelemetry"}},
 		},
+		{
+			pkg.RustPkg,
+			candidateKey{PkgName: "prometheus"},
+			// Avoid matching CVE-2019-3826
+			candidateRemovals{VendorsToRemove: []string{"prometheus"}},
+		},
+		{
+			pkg.RustPkg,
+			candidateKey{PkgName: "phf"},
+			// Avoid matching CVE-2000-1186
+			candidateRemovals{VendorsToRemove: []string{"phf"}},
+		},
 		{
 			pkg.RustPkg,
 			candidateKey{PkgName: "redis"},
+			// Avoid matching CVE-2022-24735
 			candidateRemovals{VendorsToRemove: []string{"redis"}},
 		},
 		// PHP packages