From c990f425a6ddbd4d8949f8fb58e49757e1d0537d Mon Sep 17 00:00:00 2001
From: Jonas Xavier <jonasx@anchore.com>
Date: Mon, 23 May 2022 10:39:34 -0700
Subject: [PATCH] Longer CPEs for golang modules to avoid false positives
 (#1006)

* golang module CPE with full path

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* add note on longer Golang CPEs

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
---
 syft/pkg/cataloger/common/cpe/generate_test.go | 13 +++++++++++++
 syft/pkg/cataloger/common/cpe/go.go            |  4 +++-
 syft/pkg/cataloger/common/cpe/go_test.go       |  6 +++++-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/syft/pkg/cataloger/common/cpe/generate_test.go b/syft/pkg/cataloger/common/cpe/generate_test.go
index b9bcd5186..f585a8b3b 100644
--- a/syft/pkg/cataloger/common/cpe/generate_test.go
+++ b/syft/pkg/cataloger/common/cpe/generate_test.go
@@ -534,6 +534,19 @@ func TestGeneratePackageCPEs(t *testing.T) {
 				"cpe:2.3:a:someone:something:3.2:*:*:*:*:*:*:*",
 			},
 		},
+		{
+			name: "go product with vendor candidates and an extra sub-item",
+			p: pkg.Package{
+				Name:     "github.com/someone/something/more",
+				Version:  "3.2",
+				FoundBy:  "go-cataloger",
+				Language: pkg.Go,
+				Type:     pkg.GoModulePkg,
+			},
+			expected: []string{
+				"cpe:2.3:a:someone:something\\/more:3.2:*:*:*:*:*:*:*",
+			},
+		},
 		{
 			name: "generate no CPEs for indeterminate golang package name",
 			p: pkg.Package{
diff --git a/syft/pkg/cataloger/common/cpe/go.go b/syft/pkg/cataloger/common/cpe/go.go
index 35a246e33..0d9487017 100644
--- a/syft/pkg/cataloger/common/cpe/go.go
+++ b/syft/pkg/cataloger/common/cpe/go.go
@@ -28,7 +28,9 @@ func candidateProductForGo(name string) string {
 		return ""
 	}
 
-	return pathElements[1]
+	// returning the rest of the path here means longer CPEs, it helps avoiding false-positives
+	// ref: https://github.com/anchore/grype/issues/676
+	return strings.Join(pathElements[1:], "/")
 }
 
 // candidateVendorForGo attempts to find a single vendor name in a best-effort attempt. This implementation prefers
diff --git a/syft/pkg/cataloger/common/cpe/go_test.go b/syft/pkg/cataloger/common/cpe/go_test.go
index 1c16c9398..e65ef545c 100644
--- a/syft/pkg/cataloger/common/cpe/go_test.go
+++ b/syft/pkg/cataloger/common/cpe/go_test.go
@@ -41,7 +41,11 @@ func TestCandidateProductForGo(t *testing.T) {
 		},
 		{
 			pkg:      "github.com/someone/something/long/package/name",
-			expected: "something",
+			expected: "something/long/package/name",
+		},
+		{
+			pkg:      "",
+			expected: "",
 		},
 	}