From bd894b9c4d19196fd69dc85d19b758c5a2d7f2b4 Mon Sep 17 00:00:00 2001 From: John Vandenberg Date: Thu, 5 Jun 2025 22:28:54 +0800 Subject: [PATCH] fix: Remove two Rust crate false positive CPE matches (#3962) Rust crates opentelemetry and redis are being given CPEs that match CVEs such as CVE-2023-45142 and CVE-2022-24735 respectively. The vendor overrides added here prevent that. Signed-off-by: John Vandenberg --- .../cpegenerate/candidate_by_package_type.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go index d3425353a..e9e492fd7 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go +++ b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go @@ -486,7 +486,6 @@ var defaultCandidateAdditions = buildCandidateLookup( candidateKey{PkgName: "dnsmasq", Vendor: "dnsmasq"}, candidateAddition{AdditionalVendors: []string{"thekelleys"}}, }, - // // Binary packages { pkg.BinaryPkg, @@ -630,7 +629,18 @@ var defaultCandidateRemovals = buildCandidateRemovalLookup( candidateKey{PkgName: "grpc"}, candidateRemovals{ProductsToRemove: []string{"grpc"}}, }, - // PHP Packages + // Rust packages + { + pkg.RustPkg, + candidateKey{PkgName: "opentelemetry"}, + candidateRemovals{ProductsToRemove: []string{"opentelemetry"}}, + }, + { + pkg.RustPkg, + candidateKey{PkgName: "redis"}, + candidateRemovals{VendorsToRemove: []string{"redis"}}, + }, + // PHP packages { pkg.PhpPearPkg, candidateKey{PkgName: "redis"},