Longer CPEs for golang modules to avoid false positives (#1006)

* golang module CPE with full path

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* add note on longer Golang CPEs

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

syft/pkg/cataloger/common/cpe/generate_test.go

@@ -534,6 +534,19 @@ func TestGeneratePackageCPEs(t *testing.T) {
 				"cpe:2.3:a:someone:something:3.2:*:*:*:*:*:*:*",
 			},
 		},
+		{
+			name: "go product with vendor candidates and an extra sub-item",
+			p: pkg.Package{
+				Name:     "github.com/someone/something/more",
+				Version:  "3.2",
+				FoundBy:  "go-cataloger",
+				Language: pkg.Go,
+				Type:     pkg.GoModulePkg,
+			},
+			expected: []string{
+				"cpe:2.3:a:someone:something\\/more:3.2:*:*:*:*:*:*:*",
+			},
+		},
 		{
 			name: "generate no CPEs for indeterminate golang package name",
 			p: pkg.Package{

syft/pkg/cataloger/common/cpe/go.go

@@ -28,7 +28,9 @@ func candidateProductForGo(name string) string {
 		return ""
 	}
 
-	return pathElements[1]
+	// returning the rest of the path here means longer CPEs, it helps avoiding false-positives
+	// ref: https://github.com/anchore/grype/issues/676
+	return strings.Join(pathElements[1:], "/")
 }
 
 // candidateVendorForGo attempts to find a single vendor name in a best-effort attempt. This implementation prefers

syft/pkg/cataloger/common/cpe/go_test.go

@@ -41,7 +41,11 @@ func TestCandidateProductForGo(t *testing.T) {
 		},
 		{
 			pkg:      "github.com/someone/something/long/package/name",
-			expected: "something",
+			expected: "something/long/package/name",
+		},
+		{
+			pkg:      "",
+			expected: "",
 		},
 	}