Longer CPEs for golang modules to avoid false positives (#1006)

* golang module CPE with full path Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add note on longer Golang CPEs Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2025-11-17 16:33:21 +01:00 · 2022-05-23 10:39:34 -07:00 · 2022-05-23 10:39:34 -07:00 · c990f425a6
commit c990f425a6
parent d41afe05eb
3 changed files with 21 additions and 2 deletions
--- a/syft/pkg/cataloger/common/cpe/generate_test.go
+++ b/syft/pkg/cataloger/common/cpe/generate_test.go
@ -534,6 +534,19 @@ func TestGeneratePackageCPEs(t *testing.T) {
 				"cpe:2.3:a:someone:something:3.2:*:*:*:*:*:*:*",
 			},
 		},
+		{
+			name: "go product with vendor candidates and an extra sub-item",
+			p: pkg.Package{
+				Name:     "github.com/someone/something/more",
+				Version:  "3.2",
+				FoundBy:  "go-cataloger",
+				Language: pkg.Go,
+				Type:     pkg.GoModulePkg,
+			},
+			expected: []string{
+				"cpe:2.3:a:someone:something\\/more:3.2:*:*:*:*:*:*:*",
+			},
+		},
 		{
 			name: "generate no CPEs for indeterminate golang package name",
 			p: pkg.Package{
--- a/syft/pkg/cataloger/common/cpe/go.go
+++ b/syft/pkg/cataloger/common/cpe/go.go
@ -28,7 +28,9 @@ func candidateProductForGo(name string) string {
 		return ""
 	}

-	return pathElements[1]
+	// returning the rest of the path here means longer CPEs, it helps avoiding false-positives
+	// ref: https://github.com/anchore/grype/issues/676
+	return strings.Join(pathElements[1:], "/")
 }

 // candidateVendorForGo attempts to find a single vendor name in a best-effort attempt. This implementation prefers
--- a/syft/pkg/cataloger/common/cpe/go_test.go
+++ b/syft/pkg/cataloger/common/cpe/go_test.go
@ -41,7 +41,11 @@ func TestCandidateProductForGo(t *testing.T) {
 		},
 		{
 			pkg:      "github.com/someone/something/long/package/name",
-			expected: "something",
+			expected: "something/long/package/name",
+		},
+		{
+			pkg:      "",
+			expected: "",
 		},
 	}